• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 561
  • Last Modified:

MTU IPSec Zero Route

I have been working on this problem for quite some time now with zero results.
For some reason even after working out the correct MTU (with ping –f –l xxxx or mtupath.exe) I still get terrible/no results on web browsing speed. Now it seems as if I need to reboot the remote box every day or two for web browsing to reestablish. All other traffic passes fine, http doesn’t.

Main site is running a Watchguard x550, external interface on an Ethernet line.
Remote is running a Watchguard x15, external interface on a PPPoE line.
There is an IPSec tunnel between the two locations with a zero route to force the traffic through the main site for web blocker purposes.

MTU on main\external-interface is set to 1500. (Best I could get)
MTU on remote\external-interface is set to 1400 (Best I could get)
Websites do not load. Unless…
If I change the MTU on Main\external-interface to 1492 the remote sites are fast and web browsing is perfect.

Why would changing the main\external-interface MTU to 1492 solve the remote speed issues?

Here is the MTU I worked out with mtupath.exe and the same results with the simple DOS command:
From Main, To Internet, MTU=1500
From Main, To Remote, MTU=1436
From Remote, To Internet, MTU=1400
From Remote, To Main, MTU=1436

If I remove the zero route on the VPN tunnel then web traffic is fine.
1 Solution
Default MTU for PPPoE line is 1492, and your remote sites are connected by PPPoE to Internet.
So without zero route you web traffic from remote site will go directly to the Internet with MTU of 1492.

On main site you have Ethernet connection so MTU is 1500, as this is default MTU for Ethernet ports.

Between main and remote you are using VPN, so because of IPSec headers + PPPoE header, MTU is lower
1436 = 1500 - 8 - IPSec header

What do you use as web blocker? As only web traffic is affected I suspect that web blocker affects MTU in some way.
Can you temporary disable web blocker and try to route web traffic from remote site through main site?
huntexNetwork AdministratorAuthor Commented:
Thank you.
I have disabled web blocker (by watchguard) the connection still stalls/drops.

My main question is, is it normal that I have to set an MTU lower than 1500 on the main\external interface that is on ethernet to allow the remote sites to function properly?
Blue Street TechLast KnightCommented:
Hi huntex,

You should be modifying the Watchgaud's WAN connection. Here is how to manually or automatically achieve the correct MTU: http://www.experts-exchange.com/A_12615.html

Let me know how it goes!
Why would changing the main\external-interface MTU to 1492 solve the remote speed issues?

because most of the web traffic flows to the inside (small queries, big answers)

if your external mtu is bigger than the internal, packets get fragmented.

this is worse with small differences : 1500 to 1492 translation will produce a 1492-sized packet and a 8-sized ridiculously small packet for almost zero payload

in that case (for example PPPoE on external side and regular lan with no vlan on the LAN), you had better set the LAN's MTU to 1492 if you want proper incoming traffic

if the MTUs match exactly (think about what encapsulation each device adds), traffic will flow both ways flawlessly.

refer to @Fidelius's posts for added encapsulations
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now