<

Unstable/Slow Performing Networks or VPNs? …just go grocery shopping!

Published on
43,550 Points
12,550 Views
20 Endorsements
Last Modified:
Awarded
Editor's Choice
Blue Street Tech
We are the Special Ops team of IT. We provide the people, processes & tools to make IT work effectively.
Imagine you have a shopping list of items you need to get at the grocery store. You have two options:
A. Take one trip to the grocery store and get everything you need for the week, or
B. Take multiple trips, buying an item at a time, to achieve the same feat.
Obviously, unless you are purposefully trying to get out of the house you’d choose “A”. But why do we so often times choose “B” when it comes to our data transmission performance? The key metric here is efficiency.How many trips do you want to take?

MTU…says you need to buy Milk in 1 Gallon containers rather than by the ounce!

MTU is an acronym that stands for the Maximum Transmission Unit, which is the single largest physical packet size, measured in bytes, a network can transmit. If messages are larger than the specified MTU they are broken up into separate, smaller packets also known as packet fragmentation or “fragmented”, which slows the overall transmission speeds because instead of making one trip to the grocery store you are now making multiple trips to achieve the same feat. In other words, the maximum length of a data unit a protocol can send in one trip, without fragmentation occurring is dictated by the MTU value defined.

Do I Really need to Manually Correct the MTU Value?

The correct MTU value will help you select the correct shopping cart size in order to be the most efficient in your grocery shopping so that you don’t have to take multiple trips. Shouldn’t I just leave the MTU at the default/automatic settings? In general, many people think of only the network protocol Ethernet MTU (having a theoretical maximum of 1500). However, this Article primarily deals with performance problems related to instability/connectivity issues with the WAN or VPN. For example in the case of VPN issues, the VPN encapsulation process naturally causes an overhead to exist. For this reason most VPNs send their transport packets with the “Do Not Fragment” (DNF) option enabled, simplifying the encapsulated TCP, thereby preventing needless re-transmission (fragmentation).

This means that the Windows 7 MTU (for example) of the virtual interface must be smaller than the MTU of your network (Ethernet) card in order to allow “spare room” for the outer “encapsulation” packet.

The majority of VPNs comprehend this and therefore set MTU automatically/dynamically. To achieve this automatic setting, they may use methods like Path MTU (PMTU) Discovery to figure this out, and then enforce the DNF bit (flag) accordingly.

However, nothing is perfect and there are numerous scenarios where this “automatic” MTU Discovery process can fail. Here are a few examples:
Scenario #1 - A network layer exists *not* running on Ethernet (e.g. some DSL lines using ATM/PPPoE + PPPoA, “CSU/DSU serial”, etc.) between the client & server, which are both running on Ethernet and one of these layers do not support PMTU.
Scenario #2 - Disabling ICMP on the Firewall can result in PMTU failing.

Considerations

A larger MTU is more efficient in cases where your network link is reliable.
However, a single incorrect bit in a packet or any packet loss for that matter means the entire singularly-larger packet must be sent all over again if your network link is unreliable. In this case, a lower MTU value would achieve better performance.

Determining the MTU Value for Your Internet Connection

Modifying the MTU values for the WAN and/or VPN interface, in some environments, can provide a tremendous performance boost.
For example, many flavors of DSL such as PPPoE and PPPoA add additional layers of padding to the datagram and thereby reduce the “spare” size of the MTU. As a general rule of thumb, such DSL connections may operate more effectively at a reduced MTU of something near 1400.

Performing the MTU Packet Size Test.

1. METHOD #1: MANUALLY

1. In Windows, go to Start > Run > cmd
2. Type this command: Ping -f -l # <Hostname>
Ping -f -l 1500 www.yahoo.com

Open in new window

3. Reduce the packet size by 8 bytes (1500-8 = 1492), then test again.
4. Repeat step #3, reducing again by 8 (1492-8 = 1484, then 1484-8 = 1476, and so on) and test between each reduction, until you receive: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss).
5. Once you find a value which has no loss use that number as your MTU value for your WAN Interface on your Firewall.
NOTE: Per RFC 791, the valid range of MTU is from 68 to 65535 and there is no requirement that MTU be a multiple of 8. The numeric value actually represents a count of octets.

If the packet was too large you will receive the following message: "Packet needs to be fragmented but DF set" (with 100% packet LOSS). If the PING passes successfully, you will receive a reply from the IP address specified along with the final post Packets: Sent = 4, Received = 4, Lost = 0 (0% loss).

Explanation of parameters: The switches for Ping -f -l # <Hostname>
-f             indicates do not fragment.
-l             indicates the size.
#             indicates the packet size you'll be sending, type in a value e.g. (1500).
<Hostname>  represents the URL or IP address, type in a URL e.g. (www.yahoo.com).

2. METHOD #2: AUTOMATICALLY

1. Download & install this small tool at http://www.elifulkerson.com/projects/mturoute.php
2. Use the -t option to automate the MTU tests.

This tool even shows at which hop a reduction occurs. This tool was provided by @Qlemo (Thanks!).

3. METHOD #3: CONTACT YOUR ISP

You can also contact your ISP for the recommended MTU value for your cable, DSL, T1 or other Internet connections.Cheers!

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
If you found this article enjoyable or interesting, please click the Yes button near the:

      Was this article helpful?

label that is just below and to the right of this text.   Thanks!
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
20
Comment
8 Comments
 

Expert Comment

by:Kevin Portell
This article was really helpful! THANK YOU VERY MUCH!
0
 
LVL 32

Author Comment

by:Blue Street Tech
Hi LBSOverlordn

You're welcome. I'm glad you liked it!
0
 
LVL 43

Expert Comment

by:noci
Small correction:
     Ping -f -l # <URL>
Should be:
    Ping -f -l # <Hostname>

As a URL consists of:
<scheme>:<scheme-specific> (RFC 2396 http://www.ietf.org/rfc/rfc1738.txt) later this was transformed to URI's
<scheme>://[<username>[:<password>]@]<hostname>[:<portname>]/...
(in RFC 2396 http://www.ietf.org/rfc/rfc2396.txt)

As ping can only be bothered with a hostname, it should be mentioned as such.
(names may be replaced with their respective numbers, like ip-addresses, port numbers ,,,)
0
WEBINAR: 10 Easy Ways to Lose a Password

Join us on June 27th at 8 am PDT to learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees. We'll cover the importance of multi-factor authentication and how these solutions can better protect your business!

 
LVL 32

Author Comment

by:Blue Street Tech
Hi noci,

Thanks for reading the article and spotting that for me. I have sent the changes through. Take care!
0
 
LVL 2

Expert Comment

by:Peter Wilson
Awesome! This is exactly what I needed. It solved three of our issues. Thanks again!!!!
1
 
LVL 32

Author Comment

by:Blue Street Tech
Thanks Peter...glad it helped you!
0
 

Expert Comment

by:Jason Shaw
Would changing the MTU on on-side of VPN tunnel cause any issues with VPN ?
0
 
LVL 32

Author Comment

by:Blue Street Tech
Hi Jason, I assume you are only changing it on one side of a VPN tunnel. If I am correct, then it would only benefit one side of the connection. So if that connection is having the issues then it may remedy the problem, however for greater efficacy I'd do both ends (they most likely will not have the same MTU).
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Join & Write a Comment

Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month