[c-nsp] DMVPN Rollout -- MTU questions

Jason LeBlanc jml at packetpimp.org
Fri May 23 09:56:16 EDT 2008 

IME, something in the chain blocking icmp packet-too-big messages will 
cause problems.  I've tried to explain to some people we network with 
that blocking all icmp is not a good idea, tcp/ip needs certain types 
allowed to work properly.  In this case for PMTUD (path MTU discovery) 
to work.

Kaj Niemi wrote:
> Hi,
> 
> On May 22, 2008, at 21:04, Eric Cables wrote:
> 
>> I've read all of the DMVPN documentation (design guide / best 
>> practices) I
>> can find, along with the "Resolve IP Fragmentation, MTU, MSS, and PMTUD
>> Issues with GRE and IPSEC" document on cisco.com, but I'm still having 
>> some
>> trouble finding a systematic approach to setting MTU, and/or knowing when
>> the use of tcp adjust-mss is needed.
>>
>> Based on the DMVPN best practices design guide, we have implemented the
>> following:
>> - IP MTU 1400
>> - Tunnel PMTUD
>>
>> The above, however, doesn't seem to work in some cases.  Users as these
>> sites complain of intermittent connectivity problems, which seem to be
>> solved rather quickly by reducing the IP MTU, and configuring TCP
>> adjust-mss.  I do have concern as to why PTMUD isn't working as expected
>> (sending ICMP unreachables to the client to adjust their MTU 
>> accordingly),
>> and exactly what values to set both IP MTU to, as well as TCP adjust-mss,
>> assuming it's necessary.
> 
> My experience has been that, instead of playing with interface/server 
> MTUs, simply setting ip tcp adjust-mss 1300 on any customer ingress 
> interface (very, very, very conservative) resolves any issues. Most 
> issues in a typical rollout seem to originate from Windows boxes and 
> Windows administrators.
> 
> Are ICMP unreachables actually sent? Do they get encapsulated into a 
> tunnel? Do you filter ICMP somewhere?
> 
> 
> 
> 
> HTH
> 
> Kaj
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list