Cisco 2620 and MTU size

Discussion in 'Cisco' started by DeVo, Sep 28, 2004.

  1. DeVo

    DeVo Guest

    I'm hoping someone can help me?

    I work for a hotel and have about as little knowledge of the Cisco
    Router as possible to be in charge of it. We have a Cisco 2620 for my
    guests/clients high speed internet access. Everything works fine.
    Except for my largest client who returns monthly. They VPN into their
    intranet, then access a third party attached to their intranet. Their
    VPN works fine, but when they try to access the third party site, the
    web page hangs. I have gotten hold of one of their system engineers,
    who says my MTU setting is too high. It is currently set for 1500
    (default). He would like us to drop this to 1200. I have attempted
    to do so, but the fast ethernet port tells me that I can not modify
    the MTU size.


    Is their some trick I can use? a patch? or do I need to go to
    management and ask for a new router?

    Thanks in advance for any help.
     
    DeVo, Sep 28, 2004
    #1
    1. Advertisements

  2. Hello, DeVo!
    You wrote on 28 Sep 2004 14:12:06 -0700:

    D> I work for a hotel and have about as little knowledge of the Cisco
    D> Router as possible to be in charge of it. We have a Cisco 2620
    D> for my guests/clients high speed internet access. Everything
    D> works fine. Except for my largest client who returns monthly.
    D> They VPN into their intranet, then access a third party attached
    D> to their intranet. Their VPN works fine, but when they try to
    D> access the third party site, the web page hangs. I have gotten
    D> hold of one of their system engineers, who says my MTU setting is
    D> too high. It is currently set for 1500 (default).

    Do you know which VPN client this guest is using? Is it Cisco, Nortel,
    Microsoft, something else? I think MTU has nothing to do with this problem.
    Chances are there is something wrong between third party site and intranet.
    Routing? ACL?
    Think about pipeline - you are providing a pipe from hotel, customer run his own
    pipe inside yours to his intranet. You can see that your pipe is OK - customer's
    pipe is going where it should and no complains. Now, you don't have any
    visibility to whatever happens inside of customer's pipe - is it clogged
    somewhere, is he using water of wrong format?
    Since it's not under your control and you can't plug a sniffer there to find out
    for sure what's going on, the best strategy would be to politely redirect this
    customer to his own IT department.

    D> He would like us to drop this to 1200. I have attempted to do so, but the
    D> fast ethernet port tells me that I can not modify the MTU size.

    And what's more important is that advise to lower MTU is just a wrong one. If
    server is really trying to send a 1500 bytes packet and Path MTU discovery
    broken that how lowering your MTU (diameter of outside pipe) would help?

    With best regards,
    Andrey.
     
    Andrey Tarasov, Sep 29, 2004
    #2
    1. Advertisements

  3. DeVo

    hdu Guest

    1. The one can lower the MTU is your client's notebook, that is their system
    engineers' problem.
    2. Path MTU Discovery can be turn on/off in most of OS. This may help in
    some case.


    --

    ~ ªÑ²¼»ù®æ¦³¤É¦³¶^, ¶R½æ­n¯à©Ó¾á­·ÀI ~

    ~ Samba, more than a low cost File and Printer server ~

    -- Let us OpenSource --
     
    hdu, Sep 29, 2004
    #3
  4. DeVo

    PES Guest

    This is a classic sign of pmtud being broken somewhere. Make sure your
    inside and outside mtu is the same. If so your router should need to issue
    a icmp packet too big. Also, make sure that you aren't overfiltering icmp
    anywhere. This could be an acl on the external interface of your router, or
    even something the isp is doing. If you cannot get this resolved, the only
    alternative would be to lower the mtu on the laptop. Lowering your mtu
    would actually make matters worse.
     
    PES, Sep 29, 2004
    #4
  5. DeVo

    MarcelM Guest

    Hi,

    I'm almost sure that this is MTU related, since i have seen the same
    problem.
    the interface command you are looking for is "ip tcp adjust-mss 1200"
    but this is only available in T release of the IOS, so i think you
    need to upgrade it on your router before it is available.Another test
    you can do is to change the MTU on the client it self (look for
    cablenut MTU tool on the web).
     
    MarcelM, Sep 29, 2004
    #5
  6. Sure it can be MTU related. I saw this problem many times during my
    tenure at Network Alchemy (and later Nokia when they acquired us) while
    supporting the CryptoCluster.
    Well, if pmtud is broken, lowering the MTU means you'd be doing by hand
    what pmtud does on its own.

    Reducing the MTU size on the router might fix the problem, but you would
    be detuning your network to favor one customer in detriment of the rest.

    A more appropriate fix might be to ask the gues to reduce the MTU size
    on his host interface(s), and/or suggest to him that his IT or network
    folks look into this matter and perhaps allow ICMP messages so pmtud
    works.

    -jav
     
    Javier Henderson, Oct 3, 2004
    #6
  7. Hello, Javier!
    You wrote on 02 Oct 2004 19:10:02 -0700:

    ??>> Do you know which VPN client this guest is using? Is it Cisco,
    ??>> Nortel, Microsoft, something else? I think MTU has nothing to do
    ??>> with this problem.

    JH> Sure it can be MTU related. I saw this problem many times during
    JH> my tenure at Network Alchemy (and later Nokia when they acquired
    JH> us) while supporting the CryptoCluster.

    I should've put it differently - has nothing to do with MTU on router in
    question.

    D>>> He would like us to drop this to 1200. I have attempted to do
    D>>> so, but the fast ethernet port tells me that I can not modify
    D>>> the MTU size.
    ??>>
    ??>> And what's more important is that advise to lower MTU is just a
    ??>> wrong one. If server is really trying to send a 1500 bytes
    ??>> packet and Path MTU discovery broken that how lowering your MTU
    ??>> (diameter of outside pipe) would help?

    JH> Well, if pmtud is broken, lowering the MTU means you'd be doing
    JH> by hand what pmtud does on its own.

    MTU should be lowered on end systems. Once again - advice to do it on a router
    in the middle of traffic path is wrong one.

    JH> Reducing the MTU size on the router might fix the problem, but
    JH> you would be detuning your network to favor one customer in
    JH> detriment of the rest.

    JH> A more appropriate fix might be to ask the gues to reduce the MTU
    JH> size on his host interface(s), and/or suggest to him that his IT
    JH> or network folks look into this matter and perhaps allow ICMP
    JH> messages so pmtud works.

    With best regards,
    Andrey.
     
    Andrey Tarasov, Oct 3, 2004
    #7
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.