1. Home
  2. Cisco Systems
  3. Setting the MTU

Setting the MTU

I've been getting odd problems with a VPN between two 837 routers and it's been suggested this is due to fragmentation and that I should decrease the MTU for the tunnel to 1360.

Can anyone tell me how to modify the config to do this? I believe it's the "ip tcp adjust" and "ip tcp adjust-mss" but I don't know how and where to use them. The examples I've found on the web all look much more complicated than my config.

Thanks,

John Rennie

---------

no service pad service timestamps debug uptime service timestamps log uptime service password-encryption ! hostname Router ! logging buffered 4096 enable secret ! username admin password no aaa new-model ip subnet-zero ! ! ip inspect name myfw cuseeme timeout 3600 ip inspect name myfw ftp timeout 3600 ip inspect name myfw rcmd timeout 3600 ip inspect name myfw realaudio timeout 3600 ip inspect name myfw tftp timeout 30 ip inspect name myfw udp timeout 15 ip inspect name myfw tcp timeout 3600 ip inspect name myfw h323 timeout 3600 !ip audit notify log !ip audit po max-events 100 !no ftp-server write-enable ! ! PPTP dialins ! ============ ! vpdn enable ! vpdn-group pptp ! Default PPTP VPDN group accept-dialin protocol pptp virtual-template 1 exit exit ! interface Virtual-Template1 ip unnumbered Ethernet0 peer default ip address pool default ppp encrypt mppe auto ppp authentication ms-chap ! ip local pool default 192.168.128.224 192.168.128.239 ! ! VPNs ! ==== ! crypto isakmp policy 1 encryption des hash sha authentication pre-share group 1 ! crypto ipsec transform-set tr-null-sha esp-null esp-sha-hmac crypto ipsec transform-set tr-des-md5 esp-des esp-md5-hmac crypto ipsec transform-set tr-des-sha esp-des esp-sha-hmac crypto ipsec transform-set tr-3des-sha esp-3des esp-sha-hmac ! ! Connection to head office crypto map cm-cryptomap 1 ipsec-isakmp set peer 111.111.111.111 set transform-set tr-des-sha match address 120 crypto isakmp key address 111.111.111.111 ! no access-list 120 access-list 120 remark Site to Site VPN to head office access-list 120 permit ip 192.168.128.0 0.0.0.255 172.31.255.0 0.0.0.255 access-list 120 deny ip 192.168.128.0 0.0.0.255 any ! ! Connection to branch office crypto map cm-cryptomap 2 ipsec-isakmp set peer 222.222.222.222 set transform-set tr-des-sha match address 121 crypto isakmp key address 222.222.222.222 ! no access-list 121 access-list 121 remark Site to Site VPN to branch office access-list 121 permit ip 192.168.128.0 0.0.0.255 192.168.129.0 0.0.0.255 access-list 121 deny ip 192.168.128.0 0.0.0.255 any ! ! Use a policy map to prevent NAT through the VPN by routing the VPN ! traffic through the loopback adapter ! route-map nonat permit 10 match ip address 129 set ip next-hop 1.1.1.2 ! no access-list 129 access-list 129 remark Route VPN traffic through the loopback adapter access-list 129 permit ip 192.168.128.0 0.0.0.255 172.31.255.0 0.0.0.255 access-list 129 permit ip 192.168.128.0 0.0.0.255 192.168.129.0 0.0.0.255 ! ! Interfaces ! ========== ! interface Loopback0 ip address 1.1.1.1 255.255.255.0 ! interface Ethernet0 ip address 192.168.128.254 255.255.255.0 ip nat inside ip route-cache policy ip policy route-map nonat no ip mroute-cache hold-queue 100 out ! interface ATM0 no ip address no ip mroute-cache atm vc-per-vp 64 no atm ilmi-keepalive pvc 0/38 encapsulation aal5mux ppp dialer dialer pool-member 1 ! dsl operating-mode auto ! interface Dialer1 ip address negotiated ip access-group 111 in ip nat outside ip inspect myfw out encapsulation ppp dialer pool 1 dialer-group 1 ppp authentication chap pap callin ppp chap hostname ppp chap password ppp pap sent-username password crypto map cm-cryptomap no ip route-cache no ip mroute-cache hold-queue 224 in ! ! NAT ! === ! ip nat inside source list 102 interface Dialer1 overload ip nat inside source static 192.168.128.1 333.333.333.18 ip nat inside source static 192.168.128.16 333.333.333.19 ip nat inside source static 192.168.128.128 333.333.333.22 ! ip classless ip route 0.0.0.0 0.0.0.0 Dialer1 ip http server no ip http secure-server ! ! Access lists ! ============ ! no access-list 23 access-list 23 remark Allowed to manage the router access-list 23 permit 192.168.128.0 0.0.0.255 ! no access-list 102 access-list 102 remark Addresses to NAT behind router access-list 102 deny ip 192.168.128.0 0.0.0.255 172.31.255.0 0.0.0.255 access-list 102 deny ip 192.168.128.0 0.0.0.255 192.168.129.0 0.0.0.255 access-list 102 permit ip 192.168.128.0 0.0.0.255 any

access-list 102 permit ip 192.168.1.0 0.0.0.255 any ! no access-list 111 access-list 111 remark Incoming access from the Internet ! ping access-list 111 permit icmp any any administratively-prohibited access-list 111 permit icmp any any echo access-list 111 permit icmp any any echo-reply access-list 111 permit icmp any any packet-too-big access-list 111 permit icmp any any time-exceeded access-list 111 permit icmp any any traceroute access-list 111 permit icmp any any unreachable ! VPN access-list 111 permit esp any any access-list 111 permit udp any any eq isakmp access-list 111 permit tcp any any eq 1723 access-list 111 permit gre any any ! Servers access-list 111 permit tcp any host 333.333.333.18 eq 21 access-list 111 permit tcp any host 333.333.333.18 eq 25 access-list 111 permit tcp any host 333.333.333.18 eq 53 access-list 111 permit udp any host 333.333.333.18 eq 53 access-list 111 permit tcp any host 333.333.333.18 eq 80 access-list 111 permit tcp any host 333.333.333.18 eq 110 access-list 111 permit tcp any host 333.333.333.18 eq 443 ! Allow file sharing access access-list 111 permit udp any host 333.333.333.19 eq 6257 access-list 111 permit tcp any host 333.333.333.19 eq 6699 access-list 111 permit tcp any host 333.333.333.19 eq 5042 access-list 111 permit udp any host 333.333.333.19 eq 5042 access-list 111 permit tcp any host 333.333.333.19 eq 6346 ! Allow incoming NTP access-list 111 permit udp any any eq 123 ! Allow VPN traffic access-list 111 permit ip 172.31.255.0 0.0.0.255 192.168.128.0 0.0.0.255 access-list 111 permit ip 192.168.129.0 0.0.0.255 192.168.128.0 0.0.0.255 ! Deny the rest access-list 111 deny ip any any log ! dialer-list 1 protocol ip permit ! ! SNMP ! ==== snmp-server community public ro ! line con 0 exec-timeout 120 0 no modem enable stopbits 1 line aux 0 line vty 0 4 access-class 23 in exec-timeout 120 0 login local length 0 ! scheduler max-task-time 5000 ! banner motd | Rattus Hacking Software

You require authorisation to connect to this device. If you are not authorised to connect to this device please disconnect now.

| ! end

Reply to
John Rennie
Loading thread data ...

Enjoy it... ;-)

formatting link
Keep in mind that the TCP MSS fix will only apply to TCP traffic, so if you're having issues with non-TCP services then that won't make it.

The "clear-DF-bit" fix presented on the above doc will affect all IP traffic, though.

I work daily with VPNs and I've seen these work, so go ahead and try them. Be aware that this is a workaround and that the correct way of solving this would be getting your service providers to allow PMTUD over their networks (IIRC, usual reason for this not working was incorrect blocking of certain ICMP types). But since that is usually a herculean task... many end up applying these fixes, which do degrade performance (although degradation may not be significant, depending on the situation).

HTH,

James

Reply to
James Schnack

You configure the MTU size on the tunnel interface, using the ip mtu command. This restricts the size of the packets which can be encapsulated by the tunneling protocol so that you can ensure that the size of the encapsulated packet does not exceed the mtu size of the transmission media.

This causes the followig effects if the router recieves a packet destined for the tunnel which has an mtu size which is too large: if the DF flag is not set the router fragments the packets & send them on thier way; if the DF flag is set then the packet is discarded and an ICMP type 3 (host unreachable), code 4 (fragmentation required) packet to the source host which should then drop the mtu size of the packets it is sending to that destination.

The problem is that many NOS's (Windows, Tru 64, etc.), do not implement this correctly & so Cisco developed a "fix", which hacked the tcp segment size negotiation between hosts, addressing the mtu issue at layer 4. This is implemented with the ip tcp adjust-mss command, which is applied to any router interface which will recieve a packet to be forwarded onto the tunnel, (configuring this on the tunnel interface does not work as the packets are encapsulated by the tunneling protocol).

Obviously the segment size is lower then the mtu size by the amount of space the IP header takes up. For example, for L2TP the mtu size is 1460, the equivalent segment size is 1420 bytes, which will result in a L2TP encapsulated packet of 1500 bytes, which is the mtu size for a standard Ethernet frame.

BL

Reply to
Buzz Lightbeer

Great, thanks :-)

Just so I'm sure, is this the correct change to my config? I already have a routing policy to stop traffic through the VPN being NATed, so presumably I can just add the "set ip df 0" line to this policy.

----8

formatting link

Reply to
John Rennie

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.