[c-nsp] Pix to Pix tunnel performance w/Windows File Sharing,>

Brian Feeny signal at shreve.net
Fri Feb 18 22:27:11 EST 2005


If I recall correctly, you dont want to use adjust mss unless you have 
to.  Its basically doing a layer4 re-write to change the mss in the tcp 
packet.  Sometimes this is needed if PMTUd is not working properly.  In 
the ideal situation, the TCP endpoints discover the proper MSS to use 
using PMTUd.

If you change MTU on the PIX, then a TCP host will send a packet with 
say MSS of 1500 and DF set.  This will in theory cause the PIX to 
report back an ICMP message that fragmentation was needed but DF was 
set.  The TCP host then lowers MSS and tries again, until it succeeds.  
PIX's support PMTUd as defined in RFC1191.  It is usually best to lower 
MTU if that will work.  In my experience however, PMTUd has 
considerable problems:

1. too many hosts block icmp, because there are too many admins that 
think "icmp is evil".
2. there are hosts that don't respond properly to the ICMP messages 
informing them to lower MSS.
3. there are hosts that decide they will set DF in every packet.  This 
is very braindead.  Ebay and Amazon use to do this, they may still do.  
They use to not respond to the ICMP messages, didn't lower MSS and 
continued to set DF.

Brian

On Feb 18, 2005, at 5:48 PM, Tony Mucker wrote:

> This looks very promising.  Using pings I was able to determine that 
> the
> biggest packet I could pass between the two PIXes was exactly 1272
> bytes.  There doesn't seem to be a command for adjusting MSS on the 
> PIX,
> so on the routers I put in the command "ip tcp adjust-mss 1200."
>
> In my ethereal packet dumps I'm seeing a lot less re-transmission (but
> there's still some).  Gkrellm is reporting decent transfer rates of
> 100KB/s.  Triple the performance.  Excellent.  Chances are I could tell
> my boss that this is it and we'd both be happy.  We'd write it off as a
> built in bandwidth cap for the users :)
>
> Question 1:  What's the difference between setting the MTU on the 
> router
> interface and setting ip tcp adjust mss?  I've been looking at the 
> Cisco
> IOS 12.3 Command reference and the closest command I can see is ip tcp 
> mss.
>
> Questino 2:  What other options do I have to increase performance?  
> Most
> of the documentation I've seen deals with Router to Router tunnels, or
> Router to PIX.  It seems that in terms of PIX to PIX there aren't as
> many options (for example the ip tcp adjust mss command doesn't exist 
> in
> PIX OS).
>
> Thanks again
> Tony
>
>
> Grant Moerschel wrote:
>
>> I'd also bet that that is a max segment size issue. I have seen this
>> before with routers running IPsec. There is a command for routers that
>> dictates mss and essentially if the client sends something larger the
>> IPsec device will tell the client to lower the size and the client
>> thinks the server did...the ipsec device does it by proxy.
>>
>> Not sure if the pix has the same function but maybe you can do it at a
>> router.
>
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/



More information about the cisco-nsp mailing list