MTU vs MSS

I have been reading up on DMVPN and noticed the tunnel configuration had the following:
iinterface Tunnel0
ip mtu 1408
ip tcp adjust-mss 574
Would someone be able to explain to me why the mss is so much lower than the MTU.
I thought the MSS was 28 less than the MTU.

From same doc, I think this is valid
"The goal is to select an optimum value for ip tcp adjust-mss that minimizes both the IPSec padding and
ATM adaption layer (AAL) 5 padding."
Is that your objective in live network?
For the rest it's pretty self explanatory.
IP MTU of transport network > IP MTU overlay network > TCP MSS set on overlay

Similar Messages

Advice required on optimal MTU and MSS settings for GRE and IPSEC connections

Hi,
We have 2 remote sites (Site A and Site B) which connect to our datacentres (DC) over IPSEC VPN and connect to each other over GRE tunnels.
We had some issues recently which we believe were MTU/MSS related (browsing web servers at one location not appearing correctly etc)
We got some advice from our Cisco partner and tweaked some settings but I'm still not convinced we have the optimal configuration - and we still have some problems I suspect may be MTU related. For example, from our DC (connected to Site A by IPSEC), we CANNOT browse to the webpage of the phone system hosted at Site A. Yet, we CAN browse to the webpage of the Site A phone system from Site B (connected over GRE)
Site A and Site B have two WAN internet circuits each - and each provider presents their circuit to us as ethernet.
Here are the relevant interface settings showing the currently configured MTU and MSS (both routers are configured the same way)
Can someone advise on what the optimal settings should be for our MTU and MSS values on the various interfaces or how we might best determine the values?
interface Tunnel1
description *** GRE Tunnel 1 to SiteB***
ip address [removed]
ip mtu 1400
ip tcp adjust-mss 1360
keepalive 30 3
tunnel source [removed]
tunnel destination [removed]
interface Tunnel2
description *** GRE Tunnel2 to SiteB***
ip address [removed]
ip mtu 1400
ip tcp adjust-mss 1360
keepalive 30 3
tunnel source [removed]
tunnel destination [removed]
interface GigabitEthernet0/0
description "WAN Connection to Provider1"
ip address [removed]
ip access-group firewall in
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1492
ip nat outside
ip inspect cbac out
ip virtual-reassembly in
crypto map cryptomap
interface GigabitEthernet0/1
description "Connection to LAN"
no ip address
ip flow ingress
ip flow egress
duplex auto
speed auto
interface GigabitEthernet0/1.1
description DATA VLAN
encapsulation dot1Q 20
ip address [removed]
ip access-group 100 in
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1320
interface GigabitEthernet0/1.2
description VOICE VLAN
encapsulation dot1Q 25
ip address [removed]
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1320
interface GigabitEthernet0/2
description "Connection to Provider2"
ip address [removed]
ip access-group firewall in
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1492
ip nat outside
ip inspect cbac out
ip virtual-reassembly in
duplex auto
speed auto
crypto map grecrypto
Thanks.

Disclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
http://www.cisco.com/c/en/us/support/docs/ip/generic-routing-encapsulation-gre/25885-pmtud-ipfrag.html

Optimize mtu and mss

Dear all,
It is about a IPSEC/GRE over WAN...
Would you please confirm or comment the following in terms of MTU:
1. On GRE tunnel interfaces "ip mtu" and "ip tcp adjust-mss" is mandatory. "tunnel path-mtu-discovery" is good to have and will allow DF bit to be set in the outer header. If "tunnel path-mtu-discovery" is to be applied, ICMP should not be blocked between routers.
2. On inside router interfaces "ip tcp adjust-mss" is mandatory and will be the same value as on the tunnel interfaces. This will make sure TCP traffic from inside hosts is OK.
3. It is mandatory that ICMP messages are not blocked between inside hosts and WAN routers in order for PMTUD for hosts to be working.
Thanks in advance,
Mladen

No you have not mis-read the document - maybe just been lead down a path a little, my answers are based on experiance.
I have found that tunnel path-mtu-discovery/PMTUD/BlackHole MTUD do not work in 99.999% of the cases where I have had mtu issues - Windows OS has been where the issues lie. I have never encounted a time where the Windows OS has actually taken any notice of the ICMP fragmentation needed message has been recevied.
Some Cisco platforms cannot use the tcp mss adjust command on transient packets, only packets sourced from the deivce are effected.
Cisco firewalls, have default configuration in regards to fragementation - the packets will be fragemented prior to encrypting the packet and they copy the DF bit = the packet will be dropped due to being oversized.
What I do when dealing with GRE/IPSEC tunnels is either:-
1) Change the MTU of the workstations/servers - works in small enviroments, does not scale.
2) You do not have to worry about MTU/MSS sizes on internet sites generally, as the remote servers wil 99% negotiate a small MSS.
3) Use where possible tcp mss adjust on routers and firewalls (this is a great place, especially when you are not using GRE tunnels)
4) Perform packet captures to determine if an application will send ALL packets with the DF bit set, or as normal just the TCP handshake.
Below is a good example:-
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008081e621.shtml
HTH>

IPSEC SA ip mtu idb interface?

Hello,
What is the ip mtu idb interface under the "show crypto ipsec sa" command output in IOS? How is this interface determined?
Thanks,
Nathan

Nathan,
The IPsec overhead is 'complicated' to calculate (depending on chosen cipher suite and original packet length). Hence you'd need to have calculator of some sort, several folks wrote those, we have one internally written by a colleague.
It is safe to assume that overhead will be around 100 bytes (for GRE over IPsec) , newer IOS will calculate that for you too. It's a stretch, but we'd rather have lower MSS than deal with fragmentation.
But regardless, you will see very often in our reference configuration that MTU is set to 1400, and a matching MSS of 1360.
Fragmentation/reassambly is an popular, remember that when you set MTU you NEED to set also MSS (MTU - 40 = MSS).
Another thing is (tunnel) PMTUD, while it's typically broken over internet, it is one of my favorites, it helps detect and diagnose problems early in the deployment rather than dealing with it later on.
Just figured I'd get this out there.
M.

HTTP and SMB over Cisco LAN-to-LAN IPSec-VPN

we are connecting Cisco 887VA router with various other Non-Cisco routers.
VPN tunnels are up and we can ping devices on the remote network through the VPN.
However, we have a few devices (on the Cisco lan) that provide a web interface (NAS etc) and these are not accessible over the VPN, the connection seems to just hang like its waiting for a response but it never gets one and eventually the browser times out.
Strangely, if I request a page that does not exist from the NAS (eg. http://192.168.3.x/test) I will receive a 404 error so it is kind of working.
Similar problems with SMB, if I access \\192.168.3.x I can list the content (4 items) but if I go into one of those folders (containing 10+ items) it hangs and eventually gives up.
I have tried adjusting MTU and MSS with no change.
Any ideas cause I'm running out of hair
My config is attached, it is most likely a mess as this is my first Cisco device so please go easy

Hi,
i can get you a example VPN config (Cisco 1841) that works:
//192.168.49.0 INSIDE IP | 192.168.0.0/16 and 172.20.0.0/24 RemoteSite IP
access-list 102 permit ip 192.168.49.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 102 permit ip 192.168.49.0 0.0.0.255 172.20.0.0 0.0.0.255
access-list 150 deny ip 192.168.49.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 150 deny ip 192.168.49.0 0.0.0.255 172.20.0.0 0.0.0.255
access-list 150 permit ip 192.168.49.0 0.0.0.255 any
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp key CRYPTOKEYHERE address REMOTEWANIP
crypto isakmp keepalive 30
crypto ipsec transform-set SETNAME esp-aes esp-sha-hmac
crypto map B2B 10 ipsec-isakmp
description b2b-fw
set peer PEERWANIP
set security-association lifetime seconds 86400
set transform-set SETNAME
match address 102
interface FastEthernet0/0
description wan_primary
crypto map B2B
ip nat outside
interface FastEthernet0/1
ip nat inside
route-map nonat permit 10
match ip address 150
ip nat inside source route-map nonat interface FastEthernet0/0 overload
Regards
Markus

GRE slow in one direction

Hi folks
I need some help understanding a problem I have. I have to networks connected over GRE using Cisco 1921 routers. One router is connected to the Internet and the other one to a 4G provider. 4G as I know it should be slower on the upload than on the download but for my users at the remote site it's the opposite. I get speeds around 4mbit down and 12mbit up. If I send the remote site straight out to Internet and skip the tunnel I get speeds around 10mbit down and 5mbit up.
I've been trying some MTU and MSS settings but none has given any clear improvements. Anyone got an idea?
Regards
Fredrik

I'm talking about either basic ethernet or a wifi connection. Basic ethernet has the same speed in either direction ie 'downstream' or 'upstream'. I don't know the specifics of wifi but I'm pretty sure it too has identical speeds in either direction.
I only have an ssh server on my linux machine so I'm always running the copy from the mac. To summarize:
$ scp file1 linux:/tmp -> 2.2Mb/s
$ scp linux:/tmp/file1 . -> 100Kb/s
I know that apple wifi cards sometimes have problems with linksys routers, but even with a normal ethernet connection the speeds are the same.
ibook G4 Mac OS X (10.3.9)

802.1x/EAP-TLS Fragmentation across VPN tunnel

I am having an issue authenticating users via 802.1x/EAP-TLS across an IPSec tunnel. I am using route-based VPN with SVTI configuration on a 2921 and 1941. I have the following settings defined:
- Under the tunnel interfaces:
- MTU 1390
- MSS 1350
- PMTUD
- Under the ingress LAN interface
- route-map to set the DNF bit to 0
- On the RADIUS Server (2008 NPS)
- Framed-MTU: 1300
This had been working for months until I got a call last week about users not being able to authenticate to our secured SSID. I fired up wireshark and also used my client monitor tool in my wireless NMS to watch what is going on. I see all of the access-request and access-challenge exchanges, but the final exchange never happens. In both captures you can see messages with id's 77-81, but message id 82 isn't shown in the wireshark capture, only fragments are. In the client monitor capture you can see that message id 82 is 1726 bytes in length. Now, if I capture packets on my local LAN, the 1726 byte packet is properly fragmented and users can authenticate just fine.
What am I missing with this?? I have scoured the Internet trying to find a setting that I must have missed, but I can't. I've tried adjusting the Framed-MTU, all the way down to 1100.
Thanks for you help.

I figured I would post back with my results. I ended up removing my mtu value from the tunnel interfaces and then fired up wireshark again. This time I found a crap load of ICMP time-exceeded messages which told me that PMTUD is not working properly across the tunnel. From there I simply re-applied my previous MTU numbers back into the tunnel configs and all of the sudden EAP-TLS started flowing fine. I do not know why removing and re-applying the MTU would make things start working again so I assume that I'll be dealing with this again sometime in the future.

877W unable to view web pages

Hi all,
I've been trying to setup the new 877W DSL router for last days with no luck.
Situation is as follows:
Everything seems to be alright, DSL connects properly, and my pc is able to ping and traceroute to sites.
Problem comes when trying to use the web browser, I'm not getting any kind of heavy page (it does load google after 30 secs).
I've checked it does NAT translations as I can see them with the sh ip nat translations command.
I'm copying the whole config. Thanks in advance for your help, Any comment will be helpful.

Hi,
2 things to try, first you say that you can ping sites while not able to web browse, it might be a DNS problem accordingly please try to check your dns (ping the DNS and then try doing nslookup).
Second, for the MTU and MSS its recommended to have:
interface
ip tcp adjust-mss 1452
interface
mtu 1492
HTH, please do rate all helpful replies,
Mohammed Mahmoud.

How is "current transport value" calculated?

We had an issue recently where I work where an officer started having connectivity problems. This office has a VPN router with an IPsec tunnel to access the main network because they're located several hours away. (The hub router is a 3945, the office has a 2800 series router.) This worked fine for years but about a month ago with no changes to the network they started having issues with VOIP and web access.
While troubleshooting we adjusted the MTU on the workstation and found that it worked fine at 1380, but when we set the adjust-mss on the tunnel to 1380 it didn't work for all the affected computers.
We tried various settings on the adjust-mss and the ip mtu until we got one that worked, but if we went too high on the MTU we got message saying out setting was "higher than the current transport value of 1414, fragmentation will occur."
This was six lower than 1420, the IP MTU setting that was originally there. We dropped the ip tcp adjust-mss to 1374 and it worked.
It looks like the "current transport value" is what changed, but I can't find any way to see what the value is on either router and I don't know what goes into finding this value. Does anyone know the command to view it and what determines it?

You're making a confusion between MTU and MSS.
MTU = maximum IP datagram size the layer 2 can carry,
MSS = maximum TCP segment size.
On a usual Ethernet Link MTU=1500 bytes. MSS = 1500 - 20 (IP header) - 20 (TCP header) = 1460 bytes.
When using tunnels, you've got to take into account the added encapsulation. With GRE for instance (which I know better than IPSec), you've got 24 bytes more to take into account.
On a router, with a PPP interface with 1500 bytes MTU, if you enable GRE the GRE tunnel will have a MTU of 1476 bytes because each user datagram will receive an additionnal IP+GRE header (+24bytes).
MSS is then 1436 bytes (1436 + 40= 1476) and you can avoid IP fragmentation by setting tcp mss adjust to 1436 for tcp traffic (nothing can be done for big UDP packets).
Same thing with IPSec. Depending of the encapsulation (ESP, tunnel, transport...), you had X bytes of additionnal header.
On a WAN PPP interface having a MTU of 1500 bytes, a tunnel going thru the PPP interface toward its destination will detect a transport MTU of 1500 bytes (MTU of the outgoing transport interface, the PPP interface), and will set its own MTU at 1500 - X bytes (MTU of outgoing interface minus additionnal bytes of tunnel encapsulation). You can set mss adjust to Transport (here 1500) - (X) - (40).
Hope this helps.

Poor Network Performance from VPN sites

We are experiencing poor network performance when connecting from hardware VPN sites. VPN sites have Cisco Hardware VPN client 3002 which terminates to Cisco 3005 VPN concentrator. Geting upload/download speeds of 355/484kbsp from VPN to surewest.com. If I remove the VPN and connect laptop directly to dsl modem, speeds are 3mb up and 1mb down. Any ideas what could be causing this?

Try this
Adjust the MTU and MSS size in concentrator and client.
Try these link for more info:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_guide_chapter09186a008015ce0e.html#1223423
http://www.cisco.com/en/US/products/hw/vpndevc/ps2286/products_user_guide_chapter09186a00803ef6c5.html

ISM with NAT64 - need help with config

Hello,
we are trying to configure NAT64 on ISM. We are running 4.3.0 on ASR9k and all
packages are installed.
Problem is that the config guide is "incomplete" and the NAT64 config is not well
explained.
I will paste the config and show command output..
RP/0/RSP1/CPU0:ASR9010_PE_DMALTA#sh cgn nat64 stateful CGN1 statistics
Tue Jan 29 14:52:59.351 BIH
Unable to obtain requested info Error:'cgn' detected the 'warning' condition 'The instance has not yet been configured'
RP/0/RSP1/CPU0:ASR9010_PE_DMALTA#sh cgn nat64 stateful STATEFULL statistics
Tue Jan 29 14:59:07.270 BIH
Unable to obtain requested info Error:'cgn' detected the 'warning' condition 'CONN state is DOWN'
service cgn CGN1
service-location preferred-active 0/4/CPU0
service-type nat64 stateful STATEFULL
portlimit 2000
ipv6-prefix 64:ff9b::/64
ipv4 address-pool 80.65.84.160/29
dynamic-port-range start 10000
address-family ipv4
   interface ServiceApp2
   tcp mss 600
address-family ipv6
   interface ServiceApp1
   protocol icmp
    reset-mtu
   tcp mss 600
protocol udp
   timeout 1800
protocol tcp
   session initial timeout 90
   session active timeout 90
protocol icmp
   timeout 900
interface ServiceInfra10
ipv4 address 10.100.127.9 255.255.255.252
service-location 0/4/CPU0
Interface serviceAPP1 is present but not serviceApp2
RP/0/RSP1/CPU0:ASR9010_PE_DMALTA#sh run inter ServiceApp1
Tue Jan 29 22:40:43.814 BIH
interface ServiceApp1
RP/0/RSP1/CPU0:ASR9010_PE_DMALTA#sh run inter ServiceApp2
Tue Jan 29 22:41:34.601 BIH
% No such configuration item(s)
RP/0/RSP1/CPU0:ASR9010_PE_DMALTA#show platform
Tue Jan 29 14:57:29.753 BIH
Node            Type                      State            Config State
0/RSP0/CPU0     A9K-RSP440-TR(Standby)    IOS XR RUN       PWR,NSHUT,MON
0/RSP1/CPU0     A9K-RSP440-TR(Active)     IOS XR RUN       PWR,NSHUT,MON
0/0/CPU0        A9K-8T-L                  IOS XR RUN       PWR,NSHUT,MON
0/1/CPU0        A9K-8T-L                  IOS XR RUN       PWR,NSHUT,MON
0/2/CPU0        A9K-2T20GE-L              IOS XR RUN       PWR,NSHUT,MON
0/3/CPU0        A9K-2T20GE-L              IOS XR RUN       PWR,NSHUT,MON
0/4/CPU0        A9K-ISM-100(LCP)          IOS XR RUN       PWR,NSHUT,MON
0/4/CPU1        A9K-ISM-100(SE)           APP-READY
Package asr9k-ism-cgv6-install-kit-4.3.0.00.sh has been installed!
Node 0/RSP0/CPU0 [RP] [SDR: Owner]
    Boot Device: disk0:
    Boot Image: /disk0/asr9k-os-mbi-4.3.0/0x100305/mbiasr9k-rsp3.vm
    Active Packages:
      disk0:asr9k-fpd-px-4.3.0
      disk0:asr9k-mpls-px-4.3.0
      disk0:asr9k-optic-px-4.3.0
      disk0:asr9k-doc-px-4.3.0
      disk0:asr9k-mini-px-4.3.0
      disk0:asr9k-mcast-px-4.3.0
      disk0:asr9k-mgbl-px-4.3.0
      disk0:asr9k-services-p-px-4.3.0
      disk0:asr9k-k9sec-px-4.3.0
Node 0/4/CPU0 [LC] [SDR: Owner]
    Boot Device: mem:
    Boot Image: /disk0/asr9k-os-mbi-4.3.0/lc/mbiasr9k-lc.vm
    Active Packages:
      disk0:asr9k-mpls-px-4.3.0
      disk0:asr9k-optic-px-4.3.0
      disk0:asr9k-mini-px-4.3.0
      disk0:asr9k-mcast-px-4.3.0
      disk0:asr9k-services-p-px-4.3.0
Service-Engine0/4/0/0          unassigned      Up                    Up
Service-Mgmt0/4/0/0            unassigned      Up                    Up
Service-Engine0/4/0/1          unassigned      Up                    Up
Service-Mgmt0/4/0/1            unassigned      Up                    Up
Service-Engine0/4/0/2          unassigned      Up                    Up
Service-Mgmt0/4/0/2            unassigned      Up                    Up
Service-Engine0/4/0/3          unassigned      Up                    Up
Service-Mgmt0/4/0/3            unassigned      Up                    Up

Hi,
first thank your for reply.
hw-module service cgn location 0/4/CPU0 has been typed in the config but I can not see it anywhere in the config after I enter and commit it.
This is the guide I am using. You will see that the NAT64 example is incomplete or is lacking of some explainations. You will see mistakes like an IP address 300.x.x.x . I even tried to completly copy/paste the example in the guide and it still shows the same errors!
http://www.cisco.com/en/US/docs/routers/asr9000/software/asr9k_r4.3/cg_nat/configuration/guide/cgnat_43.html
Edit:
After serviceapp 1 and 2 has been configured the error "Unable to obtain requested info Error:'cgn' detected the 'warning' condition 'CONN state is DOWN'
" has gone
RP/0/RSP1/CPU0:ASR9010_PE_DMALTA#sh run interface serviceapp1
Wed Jan 30 08:44:59.602 BIH
interface ServiceApp1
vrf Internet
ipv6 address 1::1/64
service cgn CGN1 service-type nat64 stateful
RP/0/RSP1/CPU0:ASR9010_PE_DMALTA#sh run interface serviceapp2
Wed Jan 30 08:45:00.950 BIH
interface ServiceApp2
vrf Internet
ipv4 address 1.1.1.1 255.255.255.252
service cgn CGN1 service-type nat64 stateful
RP/0/RSP1/CPU0:ASR9010_PE_DMALTA#sh cgn nat64 stateful STATEFULL statistics
Wed Jan 30 08:46:50.342 BIH
Statistics summary of NAT64 Stateful instance: 'STATEFULL'
Number of active translations                  : 0
Number of static translations                  : 0
Number of dynamic translations                 : 0
Number of Sessions                             : 0
Translations create rate                       : 0
Translations delete rate                       : 0
Inside to outside forward rate                 : 0
Outside to inside forward rate                 : 0
Inside to outside drops port limit exceeded    : 0
Inside to outside drops system limit reached   : 0
Inside to outside drops resource depletion     : 0
No translation entry drops                     : 3134
Filtering Drops                                : 0
Invalid Ipv6 Prefix Drops                      : 0
Number of subscribers                          : 0
Drops due to session db limit exceeded         : 0
Pool address totally free                      : 8
Pool address used                              : 0
For what are the IP addresses in serviceapp used, only for communication between router and ISM?

E90 poor network

HI.
I M USING E90 SINCE 2YEAR BUT NOW DAYS I M FACING SOME NETWORK PROBLEM.THE SIGNALS ARE VERY LOW AS COMPARE TO ANY OTHERS MOBILE PHONES.I HAVE VISITES NOKIA CENTER CARE & MOBILE CONECTION CPMPANY TO REPAIR MY SIM,BUT THEY BOTH SAID THAT IS WORKING FINE FROM THERE SIDE.
PLEASE HEPL ME WITH THIS NETWORK PROBLEM.

Try this
Adjust the MTU and MSS size in concentrator and client.
Try these link for more info:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_guide_chapter09186a008015ce0e.html#1223423
http://www.cisco.com/en/US/products/hw/vpndevc/ps2286/products_user_guide_chapter09186a00803ef6c5.html

1000v Almost Working

I've got the 1000v (single VSM in L3 mode) up and running. I have a couple of port-profiles with VMs running fine in them. All VEMs seem to be registered and speaking fine. The only problem I have is when I go to move the VSM's eth1 interface off the vSwitch0 and onto the 1000v, it loses communication (vEth shows BLK when I move it).
N1KV# sh run
!Command: show running-config
!Time: Thu May 1 21:32:36 2014
version 4.2(1)SV2(2.2)
svs switch edition essential
no feature telnet
username admin password 5 $1$LxtFHxdd$nnLt6SIClbFprf3qv7Pig0 role network-admin
banner motd #Nexus 1000v Switch#
ssh key rsa 2048
ip domain-lookup
ip host N1KV 10.2.55.100
hostname N1KV
errdisable recovery cause failed-port-state
vem 3
host id 64b73ccc-c6cf-e311-0000-00000000004f
vem 4
host id 64b73ccc-c6cf-e311-0000-00000000002f
vem 5
host id 64b73ccc-c6cf-e311-0000-00000000005f
vem 6
host id 64b73ccc-c6cf-e311-0000-00000000003f
snmp-server user admin network-admin auth md5 0x009f54b10a39bb2726dacb1dc22802af priv 0x009f54b10a39bb2726dacb1dc22802af localizedkey
vrf context management
ip route 0.0.0.0/0 10.2.55.1
vlan 1,3255,3268,3350,3360
port-channel load-balance ethernet source-mac
port-profile default max-ports 32
port-profile type ethernet Unused_Or_Quarantine_Uplink
vmware port-group
shutdown
description Port-group created for Nexus1000V internal usage. Do not use.
state enabled
port-profile type vethernet Unused_Or_Quarantine_Veth
vmware port-group
shutdown
description Port-group created for Nexus1000V internal usage. Do not use.
state enabled
port-profile type ethernet System-Uplink
vmware port-group
switchport mode trunk
switchport trunk allowed vlan 1-3967,4048-4093
mtu 9000
channel-group auto mode on mac-pinning
no shutdown
system vlan 3255
description physical switch link
state enabled
port-profile type vethernet VLAN3255
capability l3control
vmware port-group VLAN-3255-L3
port-binding static auto expand
switchport mode access
switchport access vlan 3255
no shutdown
system vlan 3255
max-ports 256
min-ports 16
state enabled
port-profile type vethernet vMotion-3268
vmware port-group
switchport mode access
switchport access vlan 3268
no shutdown
system vlan 3268
max-ports 256
state enabled
port-profile type vethernet VLAN-3255
vmware port-group
switchport mode access
switchport access vlan 3255
no shutdown
max-ports 256
min-ports 16
state enabled
port-profile type vethernet VLAN-3360
vmware port-group
switchport mode access
switchport access vlan 3360
no shutdown
max-ports 256
min-ports 16
state enabled
port-profile type vethernet VLAN-3350
vmware port-group
switchport mode access
switchport access vlan 3350
no shutdown
max-ports 256
min-ports 16
state enabled
vdc N1KV id 1
limit-resource vlan minimum 16 maximum 2049
limit-resource monitor-session minimum 0 maximum 2
limit-resource vrf minimum 16 maximum 8192
limit-resource port-channel minimum 0 maximum 768
limit-resource u4route-mem minimum 1 maximum 1
limit-resource u6route-mem minimum 1 maximum 1
interface port-channel1
inherit port-profile System-Uplink
vem 3
interface port-channel2
inherit port-profile System-Uplink
vem 4
interface port-channel3
inherit port-profile System-Uplink
vem 5
interface port-channel4
inherit port-profile System-Uplink
vem 6
interface mgmt0
ip address 10.2.55.100/24
interface Vethernet1
inherit port-profile VLAN3255
description VMware VMkernel, vmk0
vmware dvport 434 dvswitch uuid "3c 0d 10 50 1b 8e 2c c6-fb 74 a2 23 ea c8 07 9a"
vmware vm mac 0025.B500.000B
interface Vethernet2
inherit port-profile vMotion-3268
description VMware VMkernel, vmk1
vmware dvport 442 dvswitch uuid "3c 0d 10 50 1b 8e 2c c6-fb 74 a2 23 ea c8 07 9a"
vmware vm mac 0050.5663.A33C
interface Vethernet3
inherit port-profile VLAN3255
description VMware VMkernel, vmk0
vmware dvport 432 dvswitch uuid "3c 0d 10 50 1b 8e 2c c6-fb 74 a2 23 ea c8 07 9a"
vmware vm mac 0025.B500.000E
interface Vethernet4
inherit port-profile VLAN3255
description VMware VMkernel, vmk0
vmware dvport 433 dvswitch uuid "3c 0d 10 50 1b 8e 2c c6-fb 74 a2 23 ea c8 07 9a"
vmware vm mac 0025.B500.000D
interface Vethernet5
inherit port-profile vMotion-3268
description VMware VMkernel, vmk2
vmware dvport 440 dvswitch uuid "3c 0d 10 50 1b 8e 2c c6-fb 74 a2 23 ea c8 07 9a"
vmware vm mac 0050.566D.7851
interface Vethernet6
inherit port-profile vMotion-3268
description VMware VMkernel, vmk1
vmware dvport 441 dvswitch uuid "3c 0d 10 50 1b 8e 2c c6-fb 74 a2 23 ea c8 07 9a"
vmware vm mac 0050.5663.CFF0
interface Vethernet7
inherit port-profile VLAN-3255
description VUM, Network Adapter 1
vmware dvport 704 dvswitch uuid "3c 0d 10 50 1b 8e 2c c6-fb 74 a2 23 ea c8 07 9a"
vmware vm mac 0050.5690.284B
interface Vethernet8
inherit port-profile VLAN3255
description VMware VMkernel, vmk0
vmware dvport 438 dvswitch uuid "3c 0d 10 50 1b 8e 2c c6-fb 74 a2 23 ea c8 07 9a"
vmware vm mac 0025.B500.000C
interface Vethernet9
inherit port-profile vMotion-3268
description VMware VMkernel, vmk1
vmware dvport 443 dvswitch uuid "3c 0d 10 50 1b 8e 2c c6-fb 74 a2 23 ea c8 07 9a"
vmware vm mac 0050.566C.6C27
interface Vethernet10
inherit port-profile VLAN-3255
description Ubuntu - Craig, Network Adapter 1
vmware dvport 705 dvswitch uuid "3c 0d 10 50 1b 8e 2c c6-fb 74 a2 23 ea c8 07 9a"
vmware vm mac 0050.5690.0A43
interface Vethernet11
inherit port-profile VLAN3255
description Nexus1000V-4.2.1.SV2.2.1b, Network Adapter 1
vmware dvport 703 dvswitch uuid "3c 0d 10 50 1b 8e 2c c6-fb 74 a2 23 ea c8 07 9a"
vmware vm mac 0050.5690.E208
interface Vethernet12
inherit port-profile VLAN3255
description Nexus1000V-4.2.1.SV2.2.1b, Network Adapter 3
vmware dvport 701 dvswitch uuid "3c 0d 10 50 1b 8e 2c c6-fb 74 a2 23 ea c8 07 9a"
vmware vm mac 0050.5690.F928
interface Ethernet3/1
inherit port-profile System-Uplink
interface Ethernet4/1
inherit port-profile System-Uplink
interface Ethernet4/2
inherit port-profile System-Uplink
interface Ethernet5/1
inherit port-profile System-Uplink
interface Ethernet5/2
inherit port-profile System-Uplink
interface control0
cli alias name wr copy run start
line console
boot kickstart bootflash:/nexus-1000v-kickstart.4.2.1.SV2.2.2.bin sup-1
boot system bootflash:/nexus-1000v.4.2.1.SV2.2.2.bin sup-1
boot kickstart bootflash:/nexus-1000v-kickstart.4.2.1.SV2.2.2.bin sup-2
boot system bootflash:/nexus-1000v.4.2.1.SV2.2.2.bin sup-2
svs-domain
domain id 10
control vlan 1
packet vlan 1
svs mode L3 interface mgmt0
svs connection vcenter
protocol vmware-vim
remote ip address 10.2.55.35 port 80
vmware dvs uuid "3c 0d 10 50 1b 8e 2c c6-fb 74 a2 23 ea c8 07 9a" datacenter-name UCS
admin user n1kUser
max-ports 8192
connect
vservice global type vsg
tcp state-checks invalid-ack
tcp state-checks seq-past-window
no tcp state-checks window-variation
no bypass asa-traffic
vnm-policy-agent
registration-ip 0.0.0.0
shared-secret **********
log-level
N1KV# sh mod
Mod Ports Module-Type Model Status
1 0 Virtual Supervisor Module Nexus1000V active *
3 332 Virtual Ethernet Module NA ok
4 332 Virtual Ethernet Module NA ok
5 332 Virtual Ethernet Module NA ok
Mod Sw Hw
1 4.2(1)SV2(2.2) 0.0
3 4.2(1)SV2(2.2) VMware ESXi 5.5.0 Releasebuild-1623387 (3.2)
4 4.2(1)SV2(2.2) VMware ESXi 5.5.0 Releasebuild-1623387 (3.2)
5 4.2(1)SV2(2.2) VMware ESXi 5.5.0 Releasebuild-1623387 (3.2)
Mod Server-IP Server-UUID Server-Name
1 10.2.55.100 NA NA
3 10.2.55.101 64b73ccc-c6cf-e311-0000-00000000004f exucs1.bhsi.com
4 10.2.55.103 64b73ccc-c6cf-e311-0000-00000000002f exucs3.bhsi.com
5 10.2.55.102 64b73ccc-c6cf-e311-0000-00000000005f exucs2.bhsi.com
* this terminal session
N1KV#
N1KV# module vem 3 execute vemcmd show port
LTL VSM Port Admin Link State PC-LTL SGID Vem Port Type
17 Eth3/1 UP UP FWD 561 0 vmnic0
49 Veth11 UP UP FWD 0 0 Nexus1000V-4.2.1.SV2.2.1b.eth0
50 Veth5 UP UP FWD 0 0 vmk2
51 Veth8 UP UP FWD 0 0 vmk0
53 Veth12 UP UP FWD 0 0 Nexus1000V-4.2.1.SV2.2.1b.eth2
561 Po1 UP UP FWD 0
* F/B: Port is BLOCKED on some of the vlans.
One or more vlans are either not created or
not in the list of allowed vlans for this port.
Please run "vemcmd show port vlans" to see the details.
N1KV#
N1KV# sh svs connections
connection vcenter:
ip address: 10.2.55.35
remote port: 80
protocol: vmware-vim https
certificate: default
datacenter name: UCS
admin: n1kUser(user)
max-ports: 8192
DVS uuid: 3c 0d 10 50 1b 8e 2c c6-fb 74 a2 23 ea c8 07 9a
config status: Enabled
operational status: Connected
sync status: Complete
version: VMware vCenter Server 5.5.0 build-1750787
vc-uuid: 61E318F1-6DF1-4441-B34B-C762CC2E4AE4
ssl-cert: self-signed or not authenticated
~ # esxcfg-vmknic -l
Interface Port Group/DVPort IP Family IP Address Netmask Broadcast MAC Address MTU TSO MSS Enabled Type
vmk2 440 IPv4 10.2.68.101 255.255.255.0 10.2.68.255 00:50:56:6d:78:51 1500 65535 true STATIC
vmk2 440 IPv6 fe80::250:56ff:fe6d:7851 64 00:50:56:6d:78:51 1500 65535 true STATIC, PREFERRED
vmk0 438 IPv4 10.2.55.101 255.255.255.0 10.2.55.255 00:25:b5:00:00:0c 1500 65535 true STATIC
vmk0 438 IPv6 fe80::225:b5ff:fe00:c 64 00:25:b5:00:00:0c 1500 65535 true STATIC, PREFERRED

I hope you get an answer to your problem.
Unfortunately, it's a lot of code to wade through, and many regulars know you
cross-post your problems all over the place, so probably ignore your posts
rather than risk their time being wasted on a problem already solved.
When I said "I hope you get an answer to your problem.",
I lied.

Poor network efficiency

I'm supporting an app running on WLS 6.1 SP3. It's using the Apache SOAP toolkit.
I don't have access to the app or its source code, though I may be able to request
enhancements.
In network traces of the app, we're seeing excessive fragmentation of the response
HTTP headers sent by WLS. Specifically, each discrete piece of an HTTP header
is being sent in its own network packet. For example, the date header is returned
as follows:
"Date" - first packet
": " - second packet
"{date value}" - third packet
"\x0d\x0a" - fourth packet
This obviously results in significantly more network traffic than is optimal.
It also places extra CPU load on server and client since the network stack is
doing more work. Note that, from what I can determine, all the headers are ones
that are automatically sent by WLS, save "Content-Type" and "Content-Length".
I know there's a ServletResponse.setBufferSize method, but its docs seem to state
that it only applies to the content/body of the response, not the headers.
Does anyone have experience with this problem? Is there a WLS config setting to
alleviate the problem? Or will setBufferSize help w/ the headers also?
Many thanks,
Donnie

Try this
Adjust the MTU and MSS size in concentrator and client.
Try these link for more info:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_guide_chapter09186a008015ce0e.html#1223423
http://www.cisco.com/en/US/products/hw/vpndevc/ps2286/products_user_guide_chapter09186a00803ef6c5.html

PAT Issues

We have a MPLS network which is having some issues for customers using PAT. The case is if I have a CE configured with public IP address or static NAT they have no problems to navigate or do anything on Internet. But if I configure PAT they simply cannot open some pages like hotmail, etc. in that case if I adjust MTU or MSS they can navigate. There is some solution to avoid this?? or somebody knows why it can be happening? as long as I know the packet size doesnt change with PAT.
Thanks for the help.

Every device in a IP path intercepting TCP, needs to advertise the MSS option. Or if this segment size is not used then segement of any size may be received.
And such packets which upon receipt have DF bit set then you have a problem and you will have be able to browse such packets from content rich websites.
What you can do is:
1) use this command on you ip nat inside and ip nat outside interface
interface x/x
ip add x.x.x.x x.x.x.x
ip nat inside
ip tcp adjust-mss 1452
interface x/x
ip add x.x.x.x x.x.x.x
ip nat outside
ip tcp adjust-mss 1452
This should solve your problem without changing any MTU or MSS on the customer CE.
1) Now two questions, you had a problem before beause of the MTU right, now what is this NAT/PAT.
2) Where are you doing this NAT and PAT.
Can u explain the data path, for eg
CE<-->NAT<-->PE<--MPLS-->PE-ASBR<-->Internet.
HTH-Cheers,
Swaroop

MTU vs MSS

Similar Messages

Maybe you are looking for