Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2174
  • Last Modified:

IP MTU & Fragmentation over L2TP

Hi all,

We have a site router connecting over a 3G Carrier Network via L2TP/VPDN into our Cisco 7204 LNS Router to forward onto the customer network.

All sessions connecting OK and pings from site to customer data-centre OK.

However, we have found that when packets of size 1464 are sent from the the site to the data-centre, then the ping fails.  Packet size 1456 work OK.

According to the customer, they can see the ping request hit the destination server in the data-centre which then replies.  But the site never receives the reply from the server in the data-centre back accross the L2TP link.

All Ethernet links are default MTU 1500

We are being asked if the LNS Router is causing this, so need to prove if it is or not.

Any help would be greatly appreciated.

Cheers

Stephen
0
DScouser
Asked:
DScouser
  • 3
  • 3
  • 2
2 Solutions
 
Rick_O_ShayCommented:
The encryption protocols use up bytes for their packet headers so the payload size does get reduced accordingly. A 1456 payload size sounds about right.
0
 
Rick_O_ShayCommented:
Forgot to add that unless fragmenting isn't being allowed it shouldn't cause a problem. It will just chop the larger packets up into the required number of smaller fragments. In the case you talked about it sounds like fragmenting isn't be allowed.
0
 
rochey2009Commented:
Hi,

http://www.cisco.com/en/US/tech/tk801/tk703/technologies_tech_note09186a0080094c4f.shtml#tcp_mss

You could try reducing the tcp mss automatically for tcp connections over the link

ip tcp adjust-mss <max seg size>

can be used at the interface level. You'll need to calculate the correct tcp max segment size for the link taking into consideration the size of the l2tp header etc.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
DScouserAuthor Commented:
Thanks or the replys up to now, the connection is UDP
0
 
rochey2009Commented:
Hi,

You could try clearing the DF bit in the ip header so that the router will be allowed to fragment the ip packets.

The very last section of the following document shows you how to clear the DF bit.

http://www.cisco.com/en/US/tech/tk801/tk703/technologies_tech_note09186a0080094c4f.shtml#tcp_mss
0
 
DScouserAuthor Commented:
Thanks, I tried that yesterday, created the route-map and applied the policy to the incomming ethernet interface from the customer network.

From "show ip traffic" command, I do not see ICMP unreachables being sent from the LNS, I'm under the impression that if the LNS was dropping the packet, it would send an ICMP code 4 back.
0
 
rochey2009Commented:
When your doing the pings are you setting the DF bit in the packet? When you set the DF bit, what is the limit on packet size before you receive the icmp error.
0
 
DScouserAuthor Commented:
completed, thanks all
0

Featured Post

[Webinar] Database Backup and Recovery

Does your company store data on premises, off site, in the cloud, or a combination of these? If you answered “yes”, you need a data backup recovery plan that fits each and every platform. Watch now as as Percona teaches us how to build agile data backup recovery plan.

  • 3
  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now