1. Home
  2. Cisco Systems
  3. MTU oddities...

MTU oddities...

Hi,

Hi, I have a cisco 1721 (and a 877 also for that matters) running 12.4 connected to a PPPoE ADSL line with a WIC-ADSL. As per documentation recommendation I have:

interface FastEthernet0 ip tcp adjust-mss 1452 ... interface Dialer0 ip mtu 1492 ...

The router has a firewall IOS image, and is running cef, ips, qos and nat/pat.

Eerything worked like a charm until I configured a site-to-site VPN with another router. Pings and small packets were exchanged correctly, but not large packets. This sounded like PMTUD or at least MTU problems, so I did a deep enquiry of the issue and found the following issue:

I'm issueing commands on a linux box attached to a switch on the FastEthernet of the 1721. I'm pinging the first hop after my router (certainly a router or DSLAM at our ISP), with DF bit set, so that I could get icmp unreachable with the proper MTU. This is without the Ipsec Tunnel activated.

Test 1, result OK: DF=1, ping size=1200: ================================

ping -c 3 -M do -s 1200

100% of reply received

Test 2, result OK: DF=1, size=1800 ============================

ping -c 3 -M do -s 1800 icmp_seq=1 Frag needed and DF set (mtu = 1500) This is the required behavior, except that the advertised MTU is 1500 instead of the configured 1492 on the Dialer Interface.

Test 3, NOK: DF=1, s=1465 to 1473 ============================ ping -c 3 -M do -s 1465

100% packet loss: no answer at all

The packet size is 1 byte greater than the MTU of my Dialer Interface. This should produce the same as the s=1800 test, right ? In fact, my test have shown that packet size in the range 1492-1499 (ping size 1465-1473) can't be sent at all...

Can someone explain me what is wrong there ? Or at least pointers to debug commands that could help me?

Full configuration available if necessary...

Many thanks, Brice

Reply to
brice.figureau
Loading thread data ...

Thanks for the very nice problem description and data. Perfect.

Here is a bit of a guess.

The small packets pass OK - follow so far:-)

The big ones are correctly being rejected by /your PC/ and you are being informed.

The middle ones being rejected by the router but it is not telling you.

I presume that you do not have "no ip unreachable" configured on the internal interface? ' cos that would do it.

Maybe you have an access-list blocking them?

Run tcpdump/ethereal on the linux box and see who exactly is sending the unreachables. I don't know if when you send unreachables to yourself if the capture tool will see them. On Windows with Ethereal it doesn't see either the outbound or the inbound from itself.

It is possible on the cisco to see the packets but it is a bit of a palaver.

deb ip packet [det]

BUT

you need to turn off fast switching first.

int x no ip route-cache

int y ..... same....

then you need to send the debug output where you want.

logg buffered deb ! RAM buffer logg buff 50000

logg monitor deb ! telnet session logg console deb ! serial console - risk of high CPU

THEN

to get the telnet one to work you need to issue

terminal monitor ! term no mon - not no term mon?

Finally, you get to see a brief description of the packets.

You can also add an access-list to it deb ip pac 100

Also access-lists can be used for tracking packets.

ip access-l ........ log

or even just sh ip access-l ! display a count of matches.

Post the config if you like.

Reply to
Bod43

OK, I guess you found the culprit (didn't test it yet), I have indeed "no ip unreachables" on FastEthernet0... It seems it is a default config of SDM when you run a security audit...

In fact I didn't even think my _pc_ was sending me the icmp message, I was under the impression the router did. But in fact you are totally right, and that further explain why it says MTU=1500 in the icmp message since my pc is connected to Ethernet...

Oh well, I should have tried harder ;-)

Many thanks for the debug info. I tried earlier debug ip packet, but nothing was printed. I think this is because I was running cef.

Regards,

-- Brice

Reply to
Brice Figureau

You need to do all of the steps above to get debug output.

ip cef ! is OK ot global config level

but on each interface you need

no ip route-cache

You may need

ip route-cache cef

to get back where you started.

If you are not getting debugging output post the steps you have taken and the first page of a sh log. State where you are looking for the output. It does work.

Reply to
Bod43

Remember to turn "ip route-cache" back on after you have gotten this to work. That statement makes all packets process switched (which is necessary to see packets with "debug ip packet") and can put a real hurt'n on your throughput.

Scott

Reply to
Thrill5

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.