Ip tcp adjust-mss on LAN and BVI

Similar Messages

• IP TCP Adjust MSS

  Hi
  We have a network setup where the customers comes via internet to 7600 and from there we for ward this to mpls-vpn cloud
  CE -----Internet cloud -------Internet Access router --- 7600-----IP VPN cloud
  we use ipsec tunnel from ce to 7600 .Sometimes customer complains of email/other Application not working etc.
  Most of the issue are resolved when we put the ip tcp adjust mss command on lan from a higher value to lower value like from 1452 to 1350 etc.
  Can somebody clarify abt the working of ip tcp adjust mss and its effect.
  Thanks in Advance
  Tarun

  When a host initiates a TCP session with a server, it negotiates the IP segment size by using the MSS option field in the TCP SYN packet. The value of the MSS field is determined by the maximum transmission unit (MTU) configuration on the host. The default MSS value for a PC is 1500 bytes
  Links for Reference:
  http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t4/ft_admss.htm
  http://cisco.com/en/US/tech/tk827/tk369/technologies_tech_note09186a0080093f1f.shtml
  http://cisco.com/en/US/products/hw/routers/ps4081/products_tech_note09186a0080094268.shtml
  But the actual MSS between two end points is derived as below.
  MSS = MinPathMTU - MinTCLHeadrLen - MinIP HeadrLen = 20 - 20 = MTU - 40.
  Now for GRE = GRE header + GRE IP HEader = 4 + 20 = 24
  IPSEC = 60 to 72 approx depedning on the encryption used.
  Since your internet routers wont be supporting more than 1500 bytes as an MTU, effectively the MSS available for
  you host to server session is the actual MTU on the path minus the overhead mentioned above.
  which is MinPathMTU - MinTCLHeadrLen - MinIP HeadrLen - (GRE header + GRE IP HEader) - IPSEC overhead
  1500 - (40+24+60~72) = 1376~1364.
  So a TCP MSS value of 1360 would be safe for your end-to-end TCP sessions over a GRE-IPSEC Tunnel.
  If you were not doing a GRE-IPSEC till the 7600 and had a leased circuit to the 7600 then a MSS value of 1460 fits well.
  1500-40.
  HTH-Cheers,
  Swaroop

• "ip tcp adjust-mss " command

  Hello Everyone,
  I wonder "ip tcp adjust-mss " command useage. Basicaly, should i apply this command on routers that are communicating point-to-point ? or there is not must to apply this command on both end ?
  I have a IPsec configured router and i can not be sure if i should apply this command on LAN interface or WAN interface ? and Do i have to apply this command on other end ?

  Hi,
  You can use following configuration instead of former command:
  #interface tunnel 0
  -if)#mtu 1600
  -if)#ip access-group DLP in
  -if)#ip address <><>
  #ip access-list extended DLP
  -acl)#statistics per-entry
  -acl)#deny ip any any packet-length gt <adjust value>
  -acl)#permit ip any any
  I think, it may helps you.
  Houtan

• Ip tcp adjust-mss unidirection or bidirectional?

  If i configure this command on my cisco CPE with a value of 1440, why do i still have packets who has a mss of 1460, while i clearly see the TCP three-way handshake? I'm no wireshark expert, but maybe you guys can tell me what i am doing wrong? I have made a capture between two hosts who are communicating with each other. 
  Here is the direct link for a more clearer picture http://s16.postimg.org/4vyeqpg91/syn_bit.png

  Hi there,
  Correct me if i m wrong, is the capture taken from a PC connected to Cisco? 
  The default MSS is 1460 which MTU 1500 - 40 Header = 1460 which is announced by the PC in syn and as you can see from the second packet which is syn ack received on the PC through the router the MSS is set to 1440, which means the MSS was modified / adjusted by the router.
  Please refer below link for more information and testing MSS.
  http://www.cisco.com/c/en/us/td/docs/ios/12_2sb/12_2sba/feature/guide/sb_admss.pdf
  HTH
  Hitesh

• MTU MSS DF Bit and Fragmentation

  I am running an encrypted link and want to check for and if necessary, remedy fragmentation.
  I'm using two connected 6500's with VPN modules.
  Using the NAM I sniffed the outbound physical interface and I see packets of various sizes but the biggest is 128bytes even during a massive file transfer. I'm assuming fragmentation but need to be sure.
  Using ping I see the biggest packet allowed without fragmentation is 1472.
  My primary intent is to first determine if there is a fragmentation issue. If there is I'll probably follow up with questions on which command to use and where to put it. I assume that I would use either the physical outgoing interface(currently MTU=1500) or the inside crypto interface(current MTU=4500)
  1. How do I determine if there is a fragmentation issue
  2. Which command to use and where?
  Any help would be appreciated.

  Issue with large packets that have the don't fragment bit set that become too large with the additional overhead of ipsec.
  use command "ip tcp adjust-mss ",TCP MSS (Maximum segment size) sufficiently low enough that the packet isn't fragmented.
  you may need to clear the df-bit entirely (it's a less efficient method, but it works). For the router, you can do so via "crypto ipsec df-bit clear".
  Try these links for more info:
  http://cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide09186a00804247fc.html
  http://www.cisco.com/warp/public/105/pmtud_ipfrag.html
  http://www.cisco.com/warp/public/105/38.shtml

• Cisco E900 ports 1990/tcp and 5916/tcp open on the LAN. Cannot close them.

  Hello,
  I just bought a Cisco Linksys E900 wireless router. Can someone explain to me why  the router (192.168.1.1 on my case) has ports 1990/tcp and 5916/tcp open on the LAN?? I cannot find a way to close those ports.
  Just do a simple:
  telnet 192.168.1.1 1990
  or
  telnet 192.168.1.1 5916
  and you'll see those ports are open.
  1990/tcp = Cisco STUN Priority 1 port
  5916/tcp = I have no idea
  Every client on the LAN (wired and wireless) can connect to those ports on the router. I do not want that to happen. It is unncessary and it is just not secure. I only want the router to have port 443 open on the LAN for the web mgmt interface. I do not want any other unncessary port open.
  It would be great to have a response from Cisco directly.
  Thank you for your time.

  JohnT66 wrote:
  Thank you for your response.
  The router is already updated to the latest firmware (1.0.04 Build 1).
  I had to do the update as soon as I opened the box because the default firmware had an incredible serious bug: after setting up the web management interface on the LAN to work over SSL, it was impossible to access the interface because of an SSL bug in the router. The bug is in the release notes of the firmware... that alone says a lot about the very very poor quality of this router.. you can't have that kind of bug in a finished product....
  I was able to close port 1990/tcp by disabling WPS in the router, although doing so was pure luck since the router's UI is terrible..
  5916/tcp is still open.. since I was able to close 1990/tcp I don't think this is a defective router.. I cannot return a router to the store just because it leaves a port open, the store, sadly, will not take it back... so please Cisco, can you help with this? this product is faulty, it doesn't work as expected, it's your responsability.. please help
  Reset the router manually then reconfigure the settings.

• In Order to Configure TCP/IP, You Must Install and Enable a Network Adapter Card

  I get this message when I try to TCP/IP settings in any network card. 
  "In Order to Configure TCP/IP, You Must Install and Enable a Network Adapter Card"
  What I have tried:
  1. Removed card, did not click on "Remove driver". Then re-scanned in device manager. This usually leads to the network card showing up with a yellow exclamation mark, and I can not get it work again (have to use system restore).
  2. Removed card, deinstalled driver, re-installed driver. 
  3. Rebooted a thousand times. 
  4. Used the Lenovo drivers.
  5. Used the Intel drivers. 
  Doesn't matter what I do, I'm stuck with yellow exclamation marks in the end for the LAN and WLAN card, with not hope to repair them.
  Driver version for the Intel 82579LM is 12.9.15.0
  Driver version for the centrino advanced-n 6205 is 15.10.4.2
  I'd really like some help on how to fix this so I'm able to configure my network manually. 

  For clarity, as your machine MTM number lists it with another type of WLAN adapter, and apparently, therein lies your problem.
  How To Fix Error Message : In Order To Configure TCP/IP , You Must Install And Enable Network Adapte...
  [How To Fix] In Order to Configure TCP/IP, You Must Install and Enable a Network Adapter Card
  ThinkPad W540 (20BG) - i7-4800MQ/24GB // ThinkPad T440s (20AQ) - i7-4600U/12GB
  ThinkPad T440p (20AW) - i7-4800MQ/16GB // ThinkPad Helix (3698-6EU) - i5-3337U/4GB
  ThinkPad W520 (4282-W4Q) - i7-2720QM/32GB // ThinkPad T400 (2767-W1C) - P9500/8GB
  ThinkPad T61 (7665-CTO) - T7700/4GB // ThinkPad T60p (8741-C2G) - T7400/4GB

• 5596UP killing Vcenter "heartbeat" packets on Lan and WAN

  Just moved my entire off a 6509 to the dual 5596up's running version 6.0(2)N2(5) with UCS.
  Now, Vcenter5 (physical machine not vm) is having problems with its "heartbeat" to tcp/udp 902.
  It isn't a routing issue, not a "arp issue", not a issue with  a lower switch having " ip device tracking " enabled. Not an access-list block, not a firewall block. 
  Every minute we can watch Vcenter lose contact with local VM's that are on the UCS  which is connected by Four 10-Gig trunks.
  All other protocols and devices have no issues. Its just Vcenter on the local lan and going out across our WAN.
  Had zero issues with this when I had all my core routing running on a 6509 running 12.2sx code. 
  Nothing changed on the Vcenter side or on our UCS.  The routing was just moved to the Nexus 5596UP's.

  VM monitoring are the TCP/UDP probes that Vcenter sends out to the VM servers ever 20 seconds.
  This lets vcenter know that the VM servers are working correctly. Without a VM heartbeat, Vcenter thinks the Esx server is down, so you can't manage any of the VM hosts on that ESX server or migrate over VM's from one ESX server to another.

• Monitor/capture tcp data between a server and client

  Hi
  I am doing a server/client TCP connection between my laptop and another computer running the server program. With my client program I am able to send commands to the server to which it reacts. However I do not know what the commands are (I just press a button in the client GUI and the command is sent), so my initial thought was that, maybe I was able to monitor/capture the strings/bytes/integers commands, which is send over the TCP/IP. There are only these two computers on the network, so no problem in other traffic there. FYI, they are connected with a wireless peer-to-peer connection.
  My problem comes from the manufature of the software making a crabby manual, so really the commands in the manual, which I was supposed to send with my own TCP vi, are just impossible to understand, and don't get me started with their support :-)
  SO, any suggestions if it is possible to capture what is sent over the TCP when I press a button in my client GUI?
  LabVIEW 8.6 / 2009 / 2010
  Vision Development Module 8.6 / 2009 / 2010
  VBAI 3.6 / 2010

  Matthew Williams wrote:
  Wireshark, http://www.wireshark.org , will capture data off the network and sort/display/categorize.
  I don't know how well it will work in a wireless environment, we usually use a wired hub (not switch).
  Matt
  Hi Matt
  I have just tried Wireshark, I get a lot of data, so I just have to use a bit of time figuring out what is what, but good program to monitor the LAN connection also wireless. I can monitor all the packages between the client and server. It looks like there is a bunch of data just from keeping the connection active, but again I have to dig a bit deeper before I can say anymore:-)
  MikeS81 wrote:
  Hi SCMAJA,
  another way is to build your own TCP/IP Server with LabView and receive with it the commands send with your client program.
  Mike
  Hi Mike
  Yeah I tried that right now using the TCP Communicator - Passive example, unfortunately the connection between the client and server is kept alive using some commands, so the only command I can get to read is the connect command, because the client then refuses the connection because there is no "right" answer/repsonse from the server :-(
  edit:
  I just got in touch with the support, and got some of the commands to work. I had to make some crazy command with a header first, then size and last my command, all converted from DEC to HEX.. Not easy to figure out :-)
  Message Edited by SCMAJA on 02-08-2008 04:29 PM
  LabVIEW 8.6 / 2009 / 2010
  Vision Development Module 8.6 / 2009 / 2010
  VBAI 3.6 / 2010

• Tcp data b/w labview and c++

  Hi
   i am trying to establish TCP connection b/w LABVIEW and C++ program. Server is established in C++ while client is implemented in labview.Although connection is successfully establish b/w server and client, both are unable to correctly understand data send/receive among them. Forexample if i want to send an int type send_array from server, i use standard WINSOCK function "send" like that:
  send(AcceptSocket,(char*)send_array,129*4,0);
  but when client in labview receive this array, it shows unexpected values.As a client, I used "simple data client.vi"  with one modification i.e. as sent data size(129*4 bytes) was fixed, only one TCP read was used . 
  Same problem exists if i send data from client to server.
  Kindly help me
  Best Regards
  Solved!
  Go to Solution.

  It's probably an big/little edian problem. If you are using the Flatten/Unflatten from String functions, you can specify which to use.

• Server 2012 r2 essentials...urgent help needed...Two separate DHCP servers, one for lan and one for wifi...design picture attached

  hello
  S2012 R2 essentials is in office...Want to have functional 2012 dhcp, dns, ad, wds role for 1gbps wired lan and separate wi-fi for temporary visitors for internet access like gsm phones etc...Need functional anywhere access to office server and computers
  for administering...When worker with laptop go out of office must have have full functional wifi.
  here is picture what i have in my mind with all components in network.
  How to configure L3 switch, router and server? Many thanks

  Hi,
  Based on your description, I understand that you want to prepare network for the Windows Server 2012 R2 Essentials,
  then will run a DHCP Server on the Windows Server 2012 R2 Essentials and correctly configure router. Please refer to following article and check if can help you.
  Before You Install Windows Server 2012 Essentials
  For DHCP, please refer to following article.
  Running
  DHCP Server on Windows Server 2012 Essentials
  For router configuration, please refer to following article.
  Configure a Router - Windows Server Essentials
  If anything I misunderstand or any update, please feel free to let me know.
  Hope this helps.
  Best regards,
  Justin Gu
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• The sound on my iPhone 4S isn't working. When headphones are plugged in you can listen to music an watch videos but when you take the headphones out the option to adjust volume goes away and you can't hear music or videos. Any idea how to fix this?

  Today I tried listening to music on my iPhone 4S, only to find that my volume adjuster had disappeared. And just to clarify, when I say that it disappeared, I mean that when I press the volume buttons on my phone, I see the speaker icon but the gauge bar is gone. I can't hear music or watch videos

  Hi thecrane1137,
  If you are having issues with the sound on your iPhone 4S, you may find the following article helpful:
  iPhone: Can't hear through the receiver or speakers
  http://support.apple.com/kb/TS1630
  Cheers,
  - Brenden

• Hyper-V Replication over Dedicated LAN and "is alive" checks over Corporate LAN

  I am testing Hyper-V replication to see if it will be a suitable replacement for the ArcServer RHA product.  One thing I am struggling with is configuring the replication to use the dedicated LAN, but still have the host servers verify over the corporate
  LAN.  
  I have seen the blogs on how to use a dedicated route and editing the hosts file to get replication to use the dedicated LAN, but that also changes the LAN in which the host servers communicate.  It seems to me that if the corporate LAN were to go down
  on the master server, I wouldn't be able to fail over the virtual machines to the replica server without first having to connect into the master server through the dedicated LAN of the replica server to shut down the virtual machines.
  I need to be able to fail over to the replica server if the corporate network connection on the master server drops without having to go through the extra steps of connecting into the master server first.
  Is it possible for the two items to be separated?  Can I tell Hyper-V to replicate using one specific IP destination on the dedicated LAN and have the replica server check to see if the master is live over the corporate LAN?

  Hi Telrick,
  >> It seems to me that if the corporate LAN were to go down on the master server, I wouldn't
  be able to fail over the virtual machines to the replica server without first having to connect into the master server through the dedicated LAN of the replica server to shut down the virtual machines.
  I want to say that there are "planned fail over" and "unplanned fail over " , the latter applies the primary server crashing (you can select "failover" on "replica server " then the VM will start up ,after the primary
  server online again you can do "reverse" )
  The point is that you can not use hyper-v replica as a backup (it will lost little data which have not yet been replicated to replica server when "unplanned fail over" happens ) 
  Best Regards
  Elton Ji
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• Satellite Pro A200 PSAFCA: Need Lan and display driver for XP

  Hey
  please help me!
  I have just installed XP on my new satalite pro, but i have had trouble with the drivers.
  At the moment I have installed most but from this site i can't seem to find a driver that will help my network card, nor my video NIVIDIA drive...
  any suggestions would be very valuable

  The Satellite Pro A200 PSAFCA is not known to me. I know only the Satellite Pro A200 PSAE1, PSAE4 and PSAE7. So could you please confirm your Pro A200 series?!
  If you cannot find the single XP drivers on the Toshiba page I would recommend checking the LAN and the graphic chip which is installed on the motherboard and use the XP drivers from the chip manufacture.
  If you need an graphic driver I would recommend using the drivers from the www.omegadrivers.net or www.laptopvideo2go.com site
  Regards

• Is it possible to adjust the photo angle and size in Snapshots theme

  Hi
  I'm new to aperture and am having a few frustrated-hair-pulling issues with the Snapshots theme. I was using iPhoto to create a Photobook of my son's first year and found it to be too limited for what I want to create. I came across Aperture and was wow'ed by the description saying I could rotate and resize photos, add text boxes etc. This was just what I was after so I downloaded the free trial to test it. I like the snapshots theme the best for the idea of it looking more "homemade" but seem to be unable to adjust the photo angle and size from the given templates. Also I find that the border in adding new photos (which I can adjust the size and rotation of) is without the custom shadow effect that the template ones have. Duplicating the template photo only gives one with the shadow effect but also of the same size with the same rotation that I can't do anything with! Rrrrghhhh
  I thought this would be a great way to customize the album I'm making for my little boy, and that it wouldn't be too hard! My mac skills are considerable, but I'm by no means an expert! Is this program too much for a non-pro-creative-housewife with a wish that may be solveable in iPhoto afterall?
  Or am I just missing something? Is there a way to do this or shall I just give up and choose another theme?
  Any recommendations are welcome! Please!!! My scalp is now officially sore!

  Here's the solution I used to solve the same problem. If you're not comfortable editing the source files, this might be more than you want to take on--but I've done it to several files with no ill effects. You can follow the instructions on this page and the referenced original post from (he includes a link on the page). Good luck! He's got some great tips on some of his other pages.
  http://photo.rwboyer.com/2010/03/15/aperture-3-book-theme-trick/
  A warning about editing the Master pages--it only edits them in that book--it doesn't update the theme. So if you go to create another book with those same layouts, you'll have to duplicate the book and replace all the images. An alternative would be to create a "clean" book with no photos in it and then just use that as a starting point each time.