[c-nsp] Pix to Pix tunnel performance w/Windows File Sharing,>
Church, Chuck
cchurch at netcogov.com
Sat Feb 19 10:10:55 EST 2005
Whoops, didn't notice you were dropping packets over 1272. Some link
between your two sites must be set that way. I'd try 1250 for a Windows
MTU. Adjusting the MSS will help TCP (as you've seen), but won't help
UDP. On the other hand, it's probably easier to adjust the MSS on two
routers instead of the MTU on hundreds of workstations...
Chuck Church
Lead Design Engineer
CCIE #8776, MCNE, MCSE
Netco Government Services - Design & Implementation Team
1210 N. Parker Rd.
Greenville, SC 29609
Home office: 864-335-9473
Cell: 703-819-3495
cchurch at netcogov.com
PGP key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x4371A48D
-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Brian Feeny
Sent: Friday, February 18, 2005 10:27 PM
To: Tony Mucker
Cc: cisco-nsp at puck.nether.net; gm at wavegard.com
Subject: Re: [c-nsp] Pix to Pix tunnel performance w/Windows File
Sharing,>
If I recall correctly, you dont want to use adjust mss unless you have
to. Its basically doing a layer4 re-write to change the mss in the tcp
packet. Sometimes this is needed if PMTUd is not working properly. In
the ideal situation, the TCP endpoints discover the proper MSS to use
using PMTUd.
If you change MTU on the PIX, then a TCP host will send a packet with
say MSS of 1500 and DF set. This will in theory cause the PIX to
report back an ICMP message that fragmentation was needed but DF was
set. The TCP host then lowers MSS and tries again, until it succeeds.
PIX's support PMTUd as defined in RFC1191. It is usually best to lower
MTU if that will work. In my experience however, PMTUd has
considerable problems:
1. too many hosts block icmp, because there are too many admins that
think "icmp is evil".
2. there are hosts that don't respond properly to the ICMP messages
informing them to lower MSS.
3. there are hosts that decide they will set DF in every packet. This
is very braindead. Ebay and Amazon use to do this, they may still do.
They use to not respond to the ICMP messages, didn't lower MSS and
continued to set DF.
Brian
On Feb 18, 2005, at 5:48 PM, Tony Mucker wrote:
> This looks very promising. Using pings I was able to determine that
> the
> biggest packet I could pass between the two PIXes was exactly 1272
> bytes. There doesn't seem to be a command for adjusting MSS on the
> PIX,
> so on the routers I put in the command "ip tcp adjust-mss 1200."
>
> In my ethereal packet dumps I'm seeing a lot less re-transmission (but
> there's still some). Gkrellm is reporting decent transfer rates of
> 100KB/s. Triple the performance. Excellent. Chances are I could
tell
> my boss that this is it and we'd both be happy. We'd write it off as
a
> built in bandwidth cap for the users :)
>
> Question 1: What's the difference between setting the MTU on the
> router
> interface and setting ip tcp adjust mss? I've been looking at the
> Cisco
> IOS 12.3 Command reference and the closest command I can see is ip tcp
> mss.
>
> Questino 2: What other options do I have to increase performance?
> Most
> of the documentation I've seen deals with Router to Router tunnels, or
> Router to PIX. It seems that in terms of PIX to PIX there aren't as
> many options (for example the ip tcp adjust mss command doesn't exist
> in
> PIX OS).
>
> Thanks again
> Tony
>
>
> Grant Moerschel wrote:
>
>> I'd also bet that that is a max segment size issue. I have seen this
>> before with routers running IPsec. There is a command for routers
that
>> dictates mss and essentially if the client sends something larger the
>> IPsec device will tell the client to lower the size and the client
>> thinks the server did...the ipsec device does it by proxy.
>>
>> Not sure if the pix has the same function but maybe you can do it at
a
>> router.
>
>
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list