• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2681
  • Last Modified:

Change MTU for Windows VPN


I am having a specific issue with my VPN and I need to change the MTU for the Windows VPN which defaults to 1400, I need this to be 1500 as requested by my ISP.

I have followed the Microsoft KB Article: HOW TO: Change the Default Maximum Transmission Unit (MTU) Size Settings for PPP Connections or for VPN Connections (http://support.microsoft.com/default.aspx?scid=kb;en-us;826159&Product=winxp)

But this has not made a difference, as the ping report below suggests:

C:\>ping -f -l 1472 (THIS WOULD IMPLY AN MTU OF 1500)

Pinging with 1400 bytes of data:

Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.

Ping statistics for
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

C:\>ping -f -l 1372 (THIS IMPLIES THAT THE MTU IS 1400)

Pinging with 1372 bytes of data:

Reply from bytes=1372 time=14ms TTL=128
Reply from bytes=1372 time=16ms TTL=128
Reply from bytes=1372 time=17ms TTL=128
Reply from bytes=1372 time=18ms TTL=128

Can anybody help me with this as it is becoming URGENT now!!

  • 5
  • 2
1 Solution
Rob WilliamsCommented:
The easiest way to change the MTU is using the very common application DrTCP, available from:
The default by the way is 1500, unless you are using an installed PPPoE connection which is then 1492.

The results of "C:\>ping -f -l 1372 (THIS IMPLIES THAT THE MTU IS 1400)" actually does not imply what the MTU is set to, but rather what it needs to be set to. The concept is to keep lowering the MTU value in the command line until you do not get "Packet needs to be fragmented but DF set." as a result, and then set the MTU to that value. For an outline of using the command and finding the optimum MTU see:
Rob WilliamsCommented:
If you wish to check the current MTU value for a specific NIC, look at the following registry key :
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\{adapter name/number}\MTU

{adapter name/number} = some long number that doesn't seem to relate to anything
You will know you have the right key/{adapter name/number}  if in the same key 'folder' you see your IP address
Note: The Registry key seems to only exist if the value has been reset at some point, from the original default.
continumAuthor Commented:
The symptoms of the problem we are experiencing is this......
dialup VPN users accessing from the internet can not copy files (using windows file copy drag and drop) any larger than about 100K off the server (upload to the server is fine).
We have checked the config of all the hardware and even taken some out for testing. even with the bandwidth feed plugged directly into the WatchGuard X Edge firewall the problem still exists.
We have swapped the Edge for another just in case - not fixed
when testing the connection from a subnet (outside the edge firewall but not across the internet) the VPN and file copy work exactly as they should.
Appart from the ISP we have this identical setup in multiple locations without a problem. It was the ISP that put us onto MTU during trouble shooting although we are not 100% convinced that this is the issue.
We have seen the same issue once before with a vpn server offsite and the client onsite, in this instance the filecopy problem was upload to the server (so therefore still copying files from our lan across the vpn (and internet) to the destination machine)
The ISP tech guy is adamant this is not their problem.
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Rob WilliamsCommented:
No question MTU can cause problems. Often when you can see files and browse successfully, but fail when opening or copying  files, it is an MTU issue. PPTP VPN's require an MTU of 1430 or less. I assume if you are using the WatchGuard you are using IPSec, for which I have never seen a specific MTU requirement. The dslreports site:  http://www.dslreports.com/faq/5793  outlines the procedure for finding the optimum MTU, although I have heard it is not a truly accurate method for VPN's. I would however recommend changing the remote PC and it's associated router to 1300 and run a test to see if it resolves the problem. If so, you may want to start "tweaking" from there. If you have multiple VPN users/sites and only some exhibit the problem I would assume the remote site/s are the problem.
A couple of other MTU site you may want to have a look at:
continumAuthor Commented:
The problem VPN is a standard windows dialup VPN and the watchguard is just running NAT (or port translation) on TCP1723 & Protocol 47. The issue exists for all offsite dialin connections. There is an office with another edge running a hardware VPN to our edge and this again is working perfectly.
Rob WilliamsCommented:
By Dial UP I assume you mean the standard Windows client, not an actual dial up connection (true dial up 56K modem requires much lower MTU I believe <600) If using PPTP it could well be the MTU especially if you have changed to be >1430. This is usually automatically controlled by the PC' virtual connection and the router but you might want to give it a try with lower settings. 1300 is about as low as you can safely go but your test results above would indicate 1372 is OK and possibly higher. Try setting all routers and the client PC to 1372 and see if it resolves. As far as I know it is strictly a trial and error procedure.
Rob WilliamsCommented:
continum, did you have a chance to try changing the MTU, and if so, any luck?

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

  • 5
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now