Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VTI Tunnels+IPSec, MSS Adjust, & WAAS

I just finished reading "Understanding Cisco WAAS Interaction with TCP Maximum Segment Size (MSS)" and still had a few questions about setting.

ip mtu <value>

tfo tcp original-mss <value>

tfo tcp optimized-mss <value>

All WAN traffic must be encrypted for our company.  We use VTI tunnels with IPSec to do this in a Hub & Spoke topology.

The WAN is Metro-E in many locations and supports a MTU of 1500. 

VTI Tunnels = 24~32 bytes (depending on options set, CheckSUM etc..)

IPSec = 56~58 bytes

Leaving 1420~1410 bytes for the MTU

We must then set the MSS adjust on the Ethernet interface of the router to a MSS that accounts for the TCP & IP Headers.

TCP Header = 20 bytes

IP Header = 20 bytes

Leaving 1380~1370 bytes for the MSS Adjust

Even when we set our MSS Adjust this low we still see a message in captures that state the traffic exceeded MTU by 57 bytes. We are assuming he router is accounting for the IPSec.  So we have pushed the MSS-Adjust down an additional 57 bytes to 1323~1313.

So how does this affect WAAS.  Should I set the Original & Optimized MSS to 1323~1313 or let it receive this from the router's ethernet LAN interface.  Also should I push the MTU size down to meet these values, or leave it alone and once again rely on the router to advertise the TCP segment size to the WAAS.

There are a few lines in the document that make me believe the WAAS will reset this MSS value to 1432 ignoring what the router advertises.  I questioning the wording of, "If WCCP is enabled, change the MSS value to the lesser of the client advertised MSS and 1432"

We are using WCCP and egress-method negotiated-return intercept-method wccp.  The WAAS is in the user subnet and the router is on an interconnect subnet to the core switch.

  • Wide Area Application Services (WAAS)
Cisco Employee

Re: VTI Tunnels+IPSec, MSS Adjust, & WAAS

Hi Ryan,

The statement "If WCCP is enabled, change  the MSS  value to the lesser of the client advertised MSS and 1432" means that  WAAS will use the lesser of 1432 and what the MSS is set to in the SYN  packet (received by WAAS).  The use of the word "client" in your case is  misleading, since there is a transit device, the router, that is  adjusting the MSS value between the client and WAAS device.

Assuming  the MSS adjustment happens prior to the traffic being redirected to  WAAS, it's safe to leave the optimized/original MSS at their default  values.



New Member

Re: VTI Tunnels+IPSec, MSS Adjust, & WAAS


This post is very interesting. And have some questions.

My setup is:

client - switch - waas (inline) - branch router - wan - router (wccp redirect, gre) - server

the branch router is adjusting mss to match the lower mtu in wan.

What I see from wireshark traces is that SYN packet from client arrive at server with adjusted mss, but the SYN-ACK from client have the original mss. So when client start tranfering data, it start sending data with max segment size. So fragmentation has to be done. So my question is, is there any setting in waas to modificate the mss? Or do waas any "magic" here. I have tried to adjust the original and/or optimized side parameters in waas config, but no change in behavior.

Can't actually find any good Cisco documentation expaining (IN DETAILS) the mss and buffering.

waas software:4.4.5b.2

Regards, Steinar.