[c-nsp] ip tcp adjust-mss on LNS 7206VXR

Tim Franklin tim at colt.net
Mon Jan 15 07:18:15 EST 2007 

> Sadly, there are much larger problems than firewalls configured by 
> buffoons. Many load balancers seem to have problems sending ICMP to 
> virtual IPs back to the real IPs, so in my (quite extensive) 
> experience 
> diddling with path MTU rather than the MSS causes a lot of large-ish 
> websites on the net to fail.

Hmm... Must admit I'd missed load-balancers (most of what I've been working
on for a while is either enterprise site-to-site or Internet access, not
data-centre).  While I'd still view devices that can't cope as broken,
fixing broken vendors is even harder than fixing broken firewall admins :(

>  From the sounds of it however, your experience does not 
> reflect that, 
> which interests me - are you able to share any numbers with us?

Well, the default we're using for both VPN and Internet access is to set a
reduced MTU and return ICMP "too big" as needed whenever there is some kind
of tunnel in the path - be that GRE, IPSec, L2TP (particularly in the DSL
space).

Out of *mumble*thousand customers, I'm aware of no more a dozen instances
where we've had to do something else to appease the customer, typically
clear the DF-bit on the way in from the customer LAN so we can fragment on
the way in to the tunnel and let the destination host re-assemble.  (There
have been one or two where we've *had* to fragment the tunnel and do our own
re-assembly.)

Take into account though that I'm mostly talking about fully managed
services, where we have control of the devices on both ends of the tunnel,
and can do a lot of the "magic" on the customer's behalf.  (They just have
to not actively break things, for the most part). I appreciate things may
run differently if you don't have that luxury.

Regards,
Tim.

-- 
____________   Tim Franklin                 e: tim.franklin at colt.net 
\C/\O/\L/\T/   Network Development &        w: www.colt.net 
 V  V  V  V    Product Engineering          t: +44 20 7863 5714 
Data | Voice | Managed Services             f: +44 20 7863 5876

More information about the cisco-nsp mailing list