Any packet that contains an initial tcp header flowing through your router will be examined against the mss. The mss in the header will be lowered to this amount if the setting is lower than what is in the header. If the header value is already lower, it will flow through unmodified. The end hosts will use the lower setting of the two hosts. If this is needing to be tweaked, you would set it at 40 bytes lower than the minimum path mtu. So to account for things like pppoe (1492 byte mtu), I often set the following "ip tcp adjust-mss 1452".
As far as i know,
The main difference with the "IP MTU xxx" and "IP TCP Adjust-mss xxx" is;
IP MTU = Adjust the MTU based on the egress interface for packet sending.
IP TCP Adjust-Mss = Adjust the MTU based on the egress interface for packet sending and returning.
So if you have an application that too keen on mtu sizes, you should use the "ip tcp adjust-mss xxx" on the egress interface to handle both ways.
Hey guys thank you very much for the replies. I did some testing again on the real devices. Like Paul said, the router modifies the MSS in the TCP packets to the configured value (only if the it is larger than the configured value).
Mert, actually it affects both directions... I know that MTU only affects the packets sending out of the configured interface however MSS affects packets in and out on the interface.
hi,fellos,Paul Stewart - CCIE Security, CCSI:
You post is excellent, i got it ! But if don't use this command for tcp, and fragment is occured.so if this happens, what's the bad influence ?
thank you !
MSS Is communicated in First TCP SYN If I remember correctly.
MTU is a different equation in itself and also dependent upon Path MTU discovery which you have to explicitely allow in your ACLs.
Can you please help me with proper MTU /MSS setup for the following situation:
1. One router (Cisco 851) connected to the ISP through PPoE. One host behind it.
2. Bandwidth 50 Mbps - tested with a laptop (the host) directly connected to the ISP and using their dedicated bandwidth testing link. Tested in both directions: I really get 50Mbps link for upload and download.
As soon as I put the router in place, the download link is between 20-30 Mbps (acceptable because of the zone firewall effort) but the upload drops to 3-4Mbps.
If I increase the MSS from 1412 to 1452 the router increase the download speed from 20 to 30 but upload is constanly very bad!
If I declare (as a test!) MSS>1452 then I can't reach anymore learningnetwork.cisco.com . But I can access other sites.
Using above tests I figured it out that I need to master the MSS!
Problems1: how do I calculate the correct MTU and MSS? From my empiric test I see that MSS impacts maximum download speed. (and the reachability of certain servers)
Problem 2: where should I apply these MSS?
I have to say that my provider uses different MTUs per its segment.
I used mturoute.exe to discover ISP MTU and I can say that MTU varies from 1480 (lowest) to 1492 (maximum discovered).
Betwen me and the speed test server all MTUs are 1492 so let's asume that my ISP uses all over his equipments MTU=1492.
I did this computing to get the MSS:
1. ETH MTU = 1500 (standard for my Cisco FE4)
2. PPoE = 1492 (1500 -8)
3. MSS: 1452 (1492 - 20 IP - 20 TCP) so I got 1452.
Therefore I'se setup the Cisco as follows:
interface Vlan 1
ip nat inside
ip tcp adjust-mss 1452
ip inspect SDM_LOW out
ip nat outside
dialer pool 1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
pppoe enable group global
pppoe-client dial-pool-number 1
Why is this huge difference in speed between download and upload when I put the Cisco in?
Where do I need to tweak the MTU/MSS: on laptop, VLAN 1 or Dialer 0 ?
PS: my laptop has MTU = 1500 (I checked the registry for the UTP card connected to the Cisco)
PS2: the PPoE connection defined in the laptop has MTU = 1300! (same method: checking XP registry). Even with such low MTU I stil get 50 Mbps with the laptop directly connected to the ISP.
PS3: MTROUTE results between me and the server that is used for bandwith test
mturoute.exe -t 188.8.131.52
mturoute to 184.108.40.206, 30 hops max, variable sized packets
* ICMP Fragmentation is not permitted. *
* Speed optimization is enabled. *
* Maximum payload is 10000 bytes. *
1 +- host: 192.168.1.1 max: 1500 bytes (this is the VLAN1 on CISCO 851)
2 ...-.- host: 10.0.0.1 not responding (10.0.0.1 is directly connected, Dialer0)
3 .-++++++++.-++.- host: 172.19.216.65 max: 1492 bytes (ISP hop 1)
4 +.- host: 220.127.116.11 max: 1492 bytes (Test speed server)
Message was edited by: Horatius
It appears that my low upload problem is the variable MTU set by my ISP.
I discovered this: using another HOST interface, I get the ~30 Mbps upload speed.
I checked the two interfaces and spotted a difference: one has PMTUD enabled while another does not.
As soon as I enabled PMTUD on the initial interface used to test the speed I managed to reach the ~30 Mbps upload speed.
Still I feel that I missed something!
Can somebody help me to review the settings?
1. MSS = 1452 (+20 TCP + 20 IP + 8 PPoE = 1500) aplied on VLAN1
2. PMTUD enabled on the host (initially was disabled - this is listed as UNCOMMON case in the above article http://www.cisco.com/en/US/tech/tk827/tk369/technologies_white_paper09186a00800d6979.shtml
3.My ISP uses variable MTU on its segments (mturoute.exe used from a laptop directly connected to the ISP shows MTU between 1480-1492).
4. Zone firewall allows the ICMP return messages needed by MSS/PMTUD
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
As you may know, when an information packet is to be sent from a DEVICE A to another DEVICE B, it passes through 7 layers defined by the OSI model. In each Layer, the initial packet acquires an additional header. So in Layer 7 it acuires a header that may be called L7H, in Layer 6 it acquires a header that may be called L6H, and so on (See the picture below).
When the packet is handed to layer 4, it has a total size (or length) of : Data + L7H + L6H + L5H. This total amount of bits mustn't exceed the amount indicated in the command [ip tcp adjust-mss]. So as you have remarked, this size doesn't include the TCP header (or L4H as we call it in our example). At the contrary, the command [ip mtu] do include the IP header size and the TCP header size (or L3H and L4H).
ip tcp adjust-mss = DATA + L7H + L6H + L5H
ip mtu = DATA + L7H + L6H + L5H + L4H + L3H
Don't also forget that this command applies only on TCP traffic.
Hi Stewart,Hope you are fine..
I am in triubleshooting department..i always faced this problem..when customer reported my application is not working,,its sudenly stopped working and all..when i checked i found this " ip tcp adjust-mss and ip mtu" in configuration.I wan to know where to apply this on WAN or LAN interface? secondly minimum how much the size of MTU we have to kept.
Normally the MTU is properly calculated from the physical interface speed. If this is the case, their is no need to set the MTU. Event IPSEC tunnels calculate their overhead from the physical interfaces based on the parameters specified in the transform set.
Regarding TCP MSS, hosts will typically use their MTU minus 40 bytes. If there is a place in the network that we know the MTU is less than the typical 1500, adjusting the TCP MSS is a good idea. In that case, the TCP MSS should be set 40 bytes lower than the IP MTU.
In most cases I see this with PPPOE. This adds 8 bytes of header information and typically lowers the MTU to 1492. In that case the appropriate setting for MSS would be 1452.
Of course all of the MTU differences can work themselves out as long as something doesn't break PMTU Discovery. If PMTU DIscovery is working properly end to end, adjusting the MSS only speeds up the initial handshake by a few milliseconds.
Here's some information I compiled a couple of months ago on the topic--