[c-nsp] DMVPN Rollout -- MTU questions
Kaj Niemi
kajtzu at basen.net
Fri May 23 05:44:46 EDT 2008
Hi,
On May 22, 2008, at 21:04, Eric Cables wrote:
> I've read all of the DMVPN documentation (design guide / best
> practices) I
> can find, along with the "Resolve IP Fragmentation, MTU, MSS, and
> PMTUD
> Issues with GRE and IPSEC" document on cisco.com, but I'm still
> having some
> trouble finding a systematic approach to setting MTU, and/or knowing
> when
> the use of tcp adjust-mss is needed.
>
> Based on the DMVPN best practices design guide, we have implemented
> the
> following:
> - IP MTU 1400
> - Tunnel PMTUD
>
> The above, however, doesn't seem to work in some cases. Users as
> these
> sites complain of intermittent connectivity problems, which seem to be
> solved rather quickly by reducing the IP MTU, and configuring TCP
> adjust-mss. I do have concern as to why PTMUD isn't working as
> expected
> (sending ICMP unreachables to the client to adjust their MTU
> accordingly),
> and exactly what values to set both IP MTU to, as well as TCP adjust-
> mss,
> assuming it's necessary.
My experience has been that, instead of playing with interface/server
MTUs, simply setting ip tcp adjust-mss 1300 on any customer ingress
interface (very, very, very conservative) resolves any issues. Most
issues in a typical rollout seem to originate from Windows boxes and
Windows administrators.
Are ICMP unreachables actually sent? Do they get encapsulated into a
tunnel? Do you filter ICMP somewhere?
HTH
Kaj
--
Kaj J. Niemi
<kajtzu at basen.net>
+358 45 63 12000
More information about the cisco-nsp
mailing list