[c-nsp] Pix to Pix tunnel performance w/Windows File Sharing,>

Church, Chuck cchurch at netcogov.com
Sat Feb 19 10:10:55 EST 2005


Whoops, didn't notice you were dropping packets over 1272.  Some link
between your two sites must be set that way.  I'd try 1250 for a Windows
MTU.  Adjusting the MSS will help TCP (as you've seen), but won't help
UDP.  On the other hand, it's probably easier to adjust the MSS on two
routers instead of the MTU on hundreds of workstations... 


Chuck Church
Lead Design Engineer
CCIE #8776, MCNE, MCSE
Netco Government Services - Design & Implementation Team
1210 N. Parker Rd.
Greenville, SC 29609
Home office: 864-335-9473
Cell: 703-819-3495
cchurch at netcogov.com
PGP key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x4371A48D 


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Brian Feeny
Sent: Friday, February 18, 2005 10:27 PM
To: Tony Mucker
Cc: cisco-nsp at puck.nether.net; gm at wavegard.com
Subject: Re: [c-nsp] Pix to Pix tunnel performance w/Windows File
Sharing,>

If I recall correctly, you dont want to use adjust mss unless you have 
to.  Its basically doing a layer4 re-write to change the mss in the tcp 
packet.  Sometimes this is needed if PMTUd is not working properly.  In 
the ideal situation, the TCP endpoints discover the proper MSS to use 
using PMTUd.

If you change MTU on the PIX, then a TCP host will send a packet with 
say MSS of 1500 and DF set.  This will in theory cause the PIX to 
report back an ICMP message that fragmentation was needed but DF was 
set.  The TCP host then lowers MSS and tries again, until it succeeds.  
PIX's support PMTUd as defined in RFC1191.  It is usually best to lower 
MTU if that will work.  In my experience however, PMTUd has 
considerable problems:

1. too many hosts block icmp, because there are too many admins that 
think "icmp is evil".
2. there are hosts that don't respond properly to the ICMP messages 
informing them to lower MSS.
3. there are hosts that decide they will set DF in every packet.  This 
is very braindead.  Ebay and Amazon use to do this, they may still do.  
They use to not respond to the ICMP messages, didn't lower MSS and 
continued to set DF.

Brian

On Feb 18, 2005, at 5:48 PM, Tony Mucker wrote:

> This looks very promising.  Using pings I was able to determine that 
> the
> biggest packet I could pass between the two PIXes was exactly 1272
> bytes.  There doesn't seem to be a command for adjusting MSS on the 
> PIX,
> so on the routers I put in the command "ip tcp adjust-mss 1200."
>
> In my ethereal packet dumps I'm seeing a lot less re-transmission (but
> there's still some).  Gkrellm is reporting decent transfer rates of
> 100KB/s.  Triple the performance.  Excellent.  Chances are I could
tell
> my boss that this is it and we'd both be happy.  We'd write it off as
a
> built in bandwidth cap for the users :)
>
> Question 1:  What's the difference between setting the MTU on the 
> router
> interface and setting ip tcp adjust mss?  I've been looking at the 
> Cisco
> IOS 12.3 Command reference and the closest command I can see is ip tcp

> mss.
>
> Questino 2:  What other options do I have to increase performance?  
> Most
> of the documentation I've seen deals with Router to Router tunnels, or
> Router to PIX.  It seems that in terms of PIX to PIX there aren't as
> many options (for example the ip tcp adjust mss command doesn't exist 
> in
> PIX OS).
>
> Thanks again
> Tony
>
>
> Grant Moerschel wrote:
>
>> I'd also bet that that is a max segment size issue. I have seen this
>> before with routers running IPsec. There is a command for routers
that
>> dictates mss and essentially if the client sends something larger the
>> IPsec device will tell the client to lower the size and the client
>> thinks the server did...the ipsec device does it by proxy.
>>
>> Not sure if the pix has the same function but maybe you can do it at
a
>> router.
>
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



More information about the cisco-nsp mailing list