Community Pick: Many members of our community have endorsed this article.
Editor's Choice: This article has been selected by our editors as an exceptional contribution.

Unstable/Slow Performing Networks or VPNs? …just go grocery shopping!

Blue Street TechLast Knight
We are the Special Ops team of cybersecurity. We provide the people, processes & tools to make cybersecurity work effectively.
Imagine you have a shopping list of items you need to get at the grocery store. You have two options:
A. Take one trip to the grocery store and get everything you need for the week, or
B. Take multiple trips, buying an item at a time, to achieve the same feat.
Obviously, unless you are purposefully trying to get out of the house you’d choose “A”. But why do we so often times choose “B” when it comes to our data transmission performance? The key metric here is efficiency.How many trips do you want to take?

MTU…says you need to buy Milk in 1 Gallon containers rather than by the ounce!

MTU is an acronym that stands for the Maximum Transmission Unit, which is the single largest physical packet size, measured in bytes, a network can transmit. If messages are larger than the specified MTU they are broken up into separate, smaller packets also known as packet fragmentation or “fragmented”, which slows the overall transmission speeds because instead of making one trip to the grocery store you are now making multiple trips to achieve the same feat. In other words, the maximum length of a data unit a protocol can send in one trip, without fragmentation occurring is dictated by the MTU value defined.

Do I Really need to Manually Correct the MTU Value?

The correct MTU value will help you select the correct shopping cart size in order to be the most efficient in your grocery shopping so that you don’t have to take multiple trips. Shouldn’t I just leave the MTU at the default/automatic settings? In general, many people think of only the network protocol Ethernet MTU (having a theoretical maximum of 1500). However, this Article primarily deals with performance problems related to instability/connectivity issues with the WAN or VPN. For example in the case of VPN issues, the VPN encapsulation process naturally causes an overhead to exist. For this reason most VPNs send their transport packets with the “Do Not Fragment” (DNF) option enabled, simplifying the encapsulated TCP, thereby preventing needless re-transmission (fragmentation).

This means that the Windows 7 MTU (for example) of the virtual interface must be smaller than the MTU of your network (Ethernet) card in order to allow “spare room” for the outer “encapsulation” packet.

The majority of VPNs comprehend this and therefore set MTU automatically/dynamically. To achieve this automatic setting, they may use methods like Path MTU (PMTU) Discovery to figure this out, and then enforce the DNF bit (flag) accordingly.

However, nothing is perfect and there are numerous scenarios where this “automatic” MTU Discovery process can fail. Here are a few examples:
Scenario #1 - A network layer exists *not* running on Ethernet (e.g. some DSL lines using ATM/PPPoE + PPPoA, “CSU/DSU serial”, etc.) between the client & server, which are both running on Ethernet and one of these layers do not support PMTU.
Scenario #2 - Disabling ICMP on the Firewall can result in PMTU failing.


A larger MTU is more efficient in cases where your network link is reliable.
However, a single incorrect bit in a packet or any packet loss for that matter means the entire singularly-larger packet must be sent all over again if your network link is unreliable. In this case, a lower MTU value would achieve better performance.

Determining the MTU Value for Your Internet Connection

Modifying the MTU values for the WAN and/or VPN interface, in some environments, can provide a tremendous performance boost.
For example, many flavors of DSL such as PPPoE and PPPoA add additional layers of padding to the datagram and thereby reduce the “spare” size of the MTU. As a general rule of thumb, such DSL connections may operate more effectively at a reduced MTU of something near 1400.

Performing the MTU Packet Size Test.


1. In Windows, go to Start > Run > cmd
2. Type this command: Ping -f -l # <Hostname>
Ping -f -l 1500

Open in new window

3. Reduce the packet size by 8 bytes (1500-8 = 1492), then test again.
4. Repeat step #3, reducing again by 8 (1492-8 = 1484, then 1484-8 = 1476, and so on) and test between each reduction, until you receive: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss).
5. Once you find a value which has no loss use that number as your MTU value for your WAN Interface on your Firewall.
NOTE: Per RFC 791, the valid range of MTU is from 68 to 65535 and there is no requirement that MTU be a multiple of 8. The numeric value actually represents a count of octets.

If the packet was too large you will receive the following message: "Packet needs to be fragmented but DF set" (with 100% packet LOSS). If the PING passes successfully, you will receive a reply from the IP address specified along with the final post Packets: Sent = 4, Received = 4, Lost = 0 (0% loss).

Explanation of parameters: The switches for Ping -f -l # <Hostname>
-f             indicates do not fragment.
-l             indicates the size.
#             indicates the packet size you'll be sending, type in a value e.g. (1500).
<Hostname>  represents the URL or IP address, type in a URL e.g. (


1. Download & install this small tool at
2. Use the -t option to automate the MTU tests.

This tool even shows at which hop a reduction occurs. This tool was provided by @Qlemo (Thanks!).


You can also contact your ISP for the recommended MTU value for your cable, DSL, T1 or other Internet connections.Cheers!

If you found this article enjoyable or interesting, please click the Yes button near the:

      Was this article helpful?

label that is just below and to the right of this text.   Thanks!
Blue Street TechLast Knight
We are the Special Ops team of cybersecurity. We provide the people, processes & tools to make cybersecurity work effectively.

Comments (8)

Blue Street TechLast Knight
Distinguished Expert 2018


Hi noci,

Thanks for reading the article and spotting that for me. I have sent the changes through. Take care!
Awesome! This is exactly what I needed. It solved three of our issues. Thanks again!!!!
Blue Street TechLast Knight
Distinguished Expert 2018


Thanks Peter...glad it helped you!
Would changing the MTU on on-side of VPN tunnel cause any issues with VPN ?
Blue Street TechLast Knight
Distinguished Expert 2018


Hi Jason, I assume you are only changing it on one side of a VPN tunnel. If I am correct, then it would only benefit one side of the connection. So if that connection is having the issues then it may remedy the problem, however for greater efficacy I'd do both ends (they most likely will not have the same MTU).

View More

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.