[c-nsp] Pix to Pix tunnel performance w/Windows File Sharing,>
Brian Feeny
signal at shreve.net
Fri Feb 18 22:27:11 EST 2005
If I recall correctly, you dont want to use adjust mss unless you have
to. Its basically doing a layer4 re-write to change the mss in the tcp
packet. Sometimes this is needed if PMTUd is not working properly. In
the ideal situation, the TCP endpoints discover the proper MSS to use
using PMTUd.
If you change MTU on the PIX, then a TCP host will send a packet with
say MSS of 1500 and DF set. This will in theory cause the PIX to
report back an ICMP message that fragmentation was needed but DF was
set. The TCP host then lowers MSS and tries again, until it succeeds.
PIX's support PMTUd as defined in RFC1191. It is usually best to lower
MTU if that will work. In my experience however, PMTUd has
considerable problems:
1. too many hosts block icmp, because there are too many admins that
think "icmp is evil".
2. there are hosts that don't respond properly to the ICMP messages
informing them to lower MSS.
3. there are hosts that decide they will set DF in every packet. This
is very braindead. Ebay and Amazon use to do this, they may still do.
They use to not respond to the ICMP messages, didn't lower MSS and
continued to set DF.
Brian
On Feb 18, 2005, at 5:48 PM, Tony Mucker wrote:
> This looks very promising. Using pings I was able to determine that
> the
> biggest packet I could pass between the two PIXes was exactly 1272
> bytes. There doesn't seem to be a command for adjusting MSS on the
> PIX,
> so on the routers I put in the command "ip tcp adjust-mss 1200."
>
> In my ethereal packet dumps I'm seeing a lot less re-transmission (but
> there's still some). Gkrellm is reporting decent transfer rates of
> 100KB/s. Triple the performance. Excellent. Chances are I could tell
> my boss that this is it and we'd both be happy. We'd write it off as a
> built in bandwidth cap for the users :)
>
> Question 1: What's the difference between setting the MTU on the
> router
> interface and setting ip tcp adjust mss? I've been looking at the
> Cisco
> IOS 12.3 Command reference and the closest command I can see is ip tcp
> mss.
>
> Questino 2: What other options do I have to increase performance?
> Most
> of the documentation I've seen deals with Router to Router tunnels, or
> Router to PIX. It seems that in terms of PIX to PIX there aren't as
> many options (for example the ip tcp adjust mss command doesn't exist
> in
> PIX OS).
>
> Thanks again
> Tony
>
>
> Grant Moerschel wrote:
>
>> I'd also bet that that is a max segment size issue. I have seen this
>> before with routers running IPsec. There is a command for routers that
>> dictates mss and essentially if the client sends something larger the
>> IPsec device will tell the client to lower the size and the client
>> thinks the server did...the ipsec device does it by proxy.
>>
>> Not sure if the pix has the same function but maybe you can do it at a
>> router.
>
>
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list