SSLv3 and MTU size

Hi there,
in the bank network enviroment between 2 sites (first with the clients and the second with the server) we have performance problems with one application. One point which might be the cause of our problem is MTU size. The application is using SSLv3. The WAN link is encrypted by IPSec. What would be the suitable MTU size configured on the router? What is the size of overhead of SSLv3? What we need to add in terms of MTU size when we use SSLv3?
Thanks a lot in advance for the answer.
Regards,
Jovica

You need to increase the MSS to more than 812 bytes when using SSLv3. Another way is to change the communication profile ie change the POST.

Similar Messages

DHCP and mtu size in rc.conf

Is it possible to set an interface to use both DHCP and a custom MTU size by setting the value in rc.conf?
I tried using the line "eth0="dhcp mtu 9000", but that did not work.

There is a hackish way to do it:
eth0="dhcp"
eth0mtu="eth0 mtu 1234"
INTERFACES=(lo eth0 eth0mtu)
It is important that eth0mtu is after eth0 in INTERFACES.

Slow internet speed because of RWIN and MTU

I've got a problem with cable modem "DHCP" speed the default internet settings for arch are very slow for me on a 2mb connection, I get 1700kbps max where as on other distros and windows i'm getting 1960+kbps the issue is RWIN size and MTU size.
With the default settings my RWIN is "128960" when it should be set to "51100" for my speed, also MTU is 576 which is very low (dialup MTU speed I think) for a cable modem which should be "1500".
I've tried setting my RWIN size in /etc/sysctl.conf like this in arch:
# Tweaks for faster broadband...
net.core.rmem_default = 51100
net.core.rmem_max = 51100
net.core.wmem_default = 51100
net.core.wmem_max = 51100
net.ipv4.tcp_wmem = 51100 51100 51100
net.ipv4.tcp_rmem = 51100 51100 51100
net.ipv4.tcp_mem = 51100 51100 51100
net.ipv4.tcp_rfc1337 = 1
net.ipv4.ip_no_pmtu_disc = 0
net.ipv4.tcp_sack = 1
net.ipv4.tcp_fack = 1
net.ipv4.tcp_window_scaling = 0
net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_ecn = 0
net.ipv4.route.flush = 1
With extra tweaks for window scaling 0, timestamps 0 etc.. and done "sudo sysctrl -p" to set it.
But after retesting my settings at dslreports.com I get a very low RWIN like "9654" for some reason, does anyone know how to permanently set it to "51100" ?
I also have a problem with settings MTU I done "sudo ifconfig eth0 mtu 1500" that works fine but gets reset on reboot, I've looked though this thread http://ubuntuforums.org/showthread.php?t=82093 and it needs to be set in "/etc/network/interfaces" but I have no such directory.
So anyone know how to Permanently RWIN MTU for a DHCP network in arch?
EDIT: I've managed to set MTU to 1500 on boot now speeds are up to 1958kbps, now just wondering about RWIN
Last edited by Breakage (2008-02-24 05:33:52)

You probably want tcp_window_scaling = 1, not 0.
Window scaling is used to let you have a bigger window size. The only reason to turn it off is if you are behind a router that distorts your TCP packets and causes connection issues. There is such a router between my school and the internet, and so I have my network script shut off tcp_window_scaling when connecting to the wireless at school. But I keep it on elsewhere.
Try turning it on and giving it a go.

FTTH connection proper MTU Size and Jumbo frames

I've recently moved to a ISP that provides a 4mbps connection through FTTH(Single OFC). There is a EPON ONU in my premise from which a RJ-45 lan cable is connected to my Intel DH67CL1 board based PC. manual says, the NIC is a gigabit ethernet card. I tried setting MTU of 8996 and I can ping and browse fine. But, I'm totally in dark whether this value is optimum and works flawlessly browsing sites. How to find and set the proper MTU for a fibre network like this? Is the value correct?
I tried like this decreasing mtu value:
ifconfig eth0 mtu 8997
SIOCSIFMTU: Invalid argument
then,
ifconfig eth0 mtu 8996
^^^ No error message and it seems accepting.
BTW, from arch wiki, I saw that the driver module(e1000e which is used here) used by NIC have some bug report filed wr.to Jumbo frame. Am I doing things correctly? Earlier MTU was at default 1500. Please guide. thank you
Some drivers will prevent lower C-states
Some kernel drivers, like e1000e will prevent the CPU from entering C-states under C3 with non-standard MTU sizes by design. See bugzilla #77361 for comments by the developers.
https://wiki.archlinux.org/index.php/Ju … mbo_frames

yeah, i actually talked to support and they told me the same thing. just another example of misleading information from Linksys as here is what the manual and the help page say:
MTU
MTU is the Maximum Transmission Unit. It specifics the largest packet size permitted for Internet transmission. Select Manual if you want to manually enter the largest packet size that will be transmitted. The recommended size, entered in the Size field, is 1500. You should leave this value in the 1200 to 1500 range. To have the Router select the best MTU for your Internet connection, keep the default setting, Auto.
no where in that description does it say that 1500 is the maxmium.
because this is also a gigabit switch, one would expect that jumbo frame support is not out of the realm of possibility. as a point of reference any other $50 (or less) gigabit switch supports this, but that's what i get for expecting too much from Linksys.
thanks for the info.

Cisco 3560G and max MTU Size

Hello
I have an Cisco 3560G with an version 15.0(1)SE2 IOS. I want to forward Jumbo frames (ISCSI packets) through this switch.
On my SAN, each interface have been configured on 9000 bytes.
On this switch, I have this output :
Sw1#sh system mtu
System MTU size is 1500 bytes
System Jumbo MTU size is 9000 bytes
System Alternate MTU size is 1500 bytes
Routing MTU size is 1500 bytes
Sw1#
I would like to know how to increase, if possible, the Jumbo MTU to 9198 bytes. I want to do that because the 9000 bytes ISCSI packets normally will been encapsuled using vlan so the ethernet packet will increase to 9022 (Ethernet 18bytes and extra 4 bytes for vlan).
If the Jumbo MTU reconfiguration is not possible, the ISCSI packets will be fragmented each time it forwarded through the switch isn't it ??
Thanks in advance for your help.
Have a nice day
Matt

Hi Bilal
Thanks for your reply.
In the document, Cisco add note on the top of the webpage on the Components Used : "Note: In all the examples in this document, unless specifically mentioned, all values that quote MTU in bytes omit the 18 bytes for the Ethernet header and Frame Check Sequence (FCS)."
So In my mind, the 3560G switch will not drop 9018 ethernet bytes but will normally drop the vlan Jumbo frames (9022 ethernet bytes).
I think Cisco will included the Ethernet header and FCS on the document because networks admins included it and not think to on payload data.
Matt

Recommended MTU Size setting within the router and...

Hello!
I was wondering what MTU Size do you guys recomended me setting within the Router Interface
and on Windows for best performance when on a BT Broadband service?
Note: It's not a BT Router i'm using, i'm using a Netgear DG834N.
I am sure BT Routers like the HomeHub have a MTU Size of 1500 set in the Router Interface, am I correct?
My Netgear DG834N has a MTU Size of 1458 in the Router Interface by default.
Thanks for responding.

Personally I was able to squeeze about 11KB/s more out of my 8128Kbps line by setting my MTU to '1430', maxing out my throughput at (after the change): 859KB/s. I'm on a 20CN DSLAM so it might be different on a 21CN MSAN.
Why not experiment? You can't hurt your line (As long as your router's firmware doesn't reset your ADSL sync everytime you change it - If it does then DLM might have something to say ).
Like this post? Give it a Star . If this post answers your question, please Mark it as the Accepted Solution.

Mid 2010 Macbook Pro - Change MTU size kills internet (Jumbo Frames)

Hi everyone, i'm hoping someone here can enlighten or help me solve my problem I'm having.
I am trying to change my MTU size to enable Jumbo frames on my 13 inch Mid 2010 Macbook Pro. I recently bought a ReadyNAS Ultra and would like to speed up transfers to the unit.
My setup is as follows:
I have my ReadyNAS Ultra 2 and 2010 Macbook Pro (Core 2 Duo) wired via cat6 ethernet to my 5th Generation Apple Airport Extreme. The Airport Extreme is connected via cat5e to my AT&T Uverse Gateway which is set up to allow my Airport to assign DHCP and NAT (gateway is in bridge mode with wireless off).
Anyways, I have enabled Jumbo frames on my ReadyNAS, when I enable them on my MBP.. it applies fine. It disconnects / reconnects the ethernet like it should, but then my connection drops. I can't see any devices on my LAN and I cannot access any internet websites, but according to the network pane I am still assigned a valid dhcp address. When I manually try to increase my MTU size, the same thing happens (from 9000 to 1600 I tried every size).....
Could it be my MBP just can't suppose the increase of MTU size? It leaves them at 1500 when I set it to automatic... if it doesn't support the increased MTU size, why would it let me custom change the MTU and even give an option to select "Jumbo Frames (9000)"?
I appreciate any help in advance!!

asdftroy wrote:
If you did read my post then you would have saw that the option is there, but that is not entirely what my inquiry is about. The option isn't working as intended, and I was wondering if anyone had the same issues as me. Thanks anyways.
Anyone else?
The way you responded to someone trying to help you probably means others will be hesitant to try.

MTU Size Problem Loading Certain Webpages

Hello Colleagues,
I'm having a strange problem dealing with MTU sizes and loading certain webpages. I am aware of the default Microsoft MTU of 1500 and also using GRE IPSEC Tunnels recommended at MTU size 1400. I have since manually set some users PC's to MTU of 1400 and most of those users are experiencing no issues. However, there are a few users who still experience website loading issues even though I have manually changed their MTU size to 1400.
These are domain accounts will the same image loads on their machines, so all have the same permissions, rights, firewall settings, etc. They all use the same LAN, switches, and routers.
Here are the router configs, router 1 and router 2
Router 1
Current configuration : 9006 bytes
version 15.3
no service pad
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
hostname R-US-RS-WVPN1
boot-start-marker
boot system flash:c1900-universalk9-mz.SPA.153-1.T1.bin
boot system flash:c1900-universalk9-mz.SPA.151-3.T1.bin
boot-end-marker
logging buffered 64000
enable secret 5 *removed*
no aaa new-model
clock timezone CET 1 0
clock summer-time CET recurring last Sun Mar 2:00 last Sun Oct 3:00
errdisable recovery cause udld
errdisable recovery cause bpduguard
errdisable recovery cause rootguard
errdisable recovery cause pagp-flap
errdisable recovery cause dtp-flap
errdisable recovery cause link-flap
errdisable recovery interval 303
ip cef
ip domain name corp.com
ip name-server 10.###.8.21
ip name-server 10.###.8.96
ip inspect dns-timeout 90
ip inspect tcp idle-time 60
ip inspect name fw smtp timeout 120
ip inspect name fw ftp timeout 120
ip inspect name fw realaudio
ip inspect name fw tftp timeout 30
ip inspect name fw udp timeout 30
ip inspect name fw tcp timeout 60
no ipv6 cef
multilink bundle-name authenticated
crypto pki trustpoint TP-self-signed-316595902
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-316595902
revocation-check none
rsakeypair TP-self-signed-316595902
crypto pki certificate chain TP-self-signed-316595902
certificate self-signed 01
*removed*
        quit
license udi pid CISCO1921/K9 sn FTX153182M8
spanning-tree vlan 229 priority 8192
redundancy
ip ssh version 2
crypto isakmp policy 10
hash md5
authentication pre-share
lifetime 3600
crypto isakmp key *removed* address 70.###.172.142
crypto isakmp key *removed* address 184.###.###.254
crypto isakmp keepalive 35 11
crypto ipsec transform-set FY-WVPN-Tunnel esp-aes esp-md5-hmac
mode tunnel
crypto map vpn 10 ipsec-isakmp
set peer 70.###.172.142
set peer 184.###.###.254
set transform-set FY-WVPN-Tunnel
match address gre-tunnel-list
interface Loopback0
ip address 10.###.0.10 255.255.255.255
interface Tunnel2291
description Primary-TimewarnerTelecom-Ral-FayWVPN1
ip address 10.###.99.26 255.255.255.252
no ip redirects
cdp enable
tunnel source 66.###.161.126
tunnel destination 184.###.###.254
crypto map vpn
interface Tunnel2293
description Primary-TimewarnerTelecom-Ral-FayWVPN2
ip address 10.###.99.154 255.255.255.252
no ip redirects
cdp enable
tunnel source 66.###.161.126
tunnel destination 70.###.172.142
crypto map vpn
interface Embedded-Service-Engine0/0
no ip address
shutdown
interface GigabitEthernet0/0
description TW Telecom/DMVPN1
ip address 66.###.161.126 255.255.255.252
ip access-group Block-Internet in
ip access-group Block-Internet out
duplex auto
speed auto
no cdp enable
crypto map vpn
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
interface GigabitEthernet0/0/0
switchport access vlan 229
no ip address
interface GigabitEthernet0/0/1
switchport access vlan 229
no ip address
interface GigabitEthernet0/0/2
switchport access vlan 229
no ip address
interface GigabitEthernet0/0/3
description PBX Eth1
switchport access vlan 229
no ip address
interface Vlan1
no ip address
shutdown
interface Vlan229
ip address 10.###.229.253 255.255.255.0
ip helper-address 10.###.231.201
standby 229 ip 10.###.229.254
standby 229 priority 105
standby 229 preempt
router eigrp 100
network 10.0.0.0
ip forward-protocol nd
no ip http server
ip http secure-server
ip route 70.###.172.142 255.255.255.255 66.###.161.125
ip route 184.###.###.254 255.255.255.255 66.###.161.125
ip route 205.###.96.180 255.255.255.252 66.###.161.125
ip access-list extended Block-Internet
permit esp host 66.###.161.126 host 184.###.###.254
permit esp host 184.###.###.254 host 66.###.161.126
permit udp host 66.###.161.126 host 184.###.###.254 eq isakmp
permit udp host 184.###.###.254 host 66.###.161.126 eq isakmp
permit esp host 66.###.161.126 host 70.###.172.142
permit esp host 70.###.172.142 host 66.###.161.126
permit udp host 66.###.161.126 host 70.###.172.142 eq isakmp
permit udp host 70.###.172.142 host 66.###.161.126 eq isakmp
permit icmp host 66.###.161.126 host 184.###.###.254
permit icmp host 184.###.###.254 host 66.###.161.126
permit icmp host 66.###.161.126 host 70.###.172.142
permit icmp host 70.###.172.142 host 66.###.161.126
permit icmp any any echo-reply
permit icmp any any time-exceeded
permit icmp any any packet-too-big
permit icmp any any traceroute
permit icmp any any unreachable
deny   ip any any
deny   icmp any any
ip access-list extended gre-tunnel-list
permit gre host 66.###.161.126 host 184.###.###.254
permit gre host 66.###.161.126 host 70.###.172.142
logging host 10.100.###.254
logging host 10.100.###.246
snmp-server community a RW 20
snmp-server community r RO 20
snmp-server community a RW 20
snmp-server community r RO 20
snmp-server community P_RW RW
snmp-server community P_RO RO
snmp-server enable traps entity-sensor threshold
snmp-server host 10.100.###.246 public
snmp-server host 10.100.###.254 public
access-list 20 permit 10.###.9.3
access-list 20 permit 10.###.8.16
access-list 20 permit 10.100.###.249
access-list 20 permit 10.100.###.254
access-list 20 permit 10.100.###.246
control-plane
banner motd ^CCCCCCC
****************** Warning! Warning! Warning! ********************
This system is restricted to authorized users for business
purposes. Unauthorized access is a violation of the law. This
service may be monitored for administrative and security reasons.
By proceeding, you consent to this monitoring
****************** Warning! Warning! Warning! ********************
^C
line con 0
login local
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
exec-timeout 60 0
password 7 *removed*
login local
transport input ssh
line vty 5 15
exec-timeout 60 0
password 7 *removed*
login local
transport input ssh
scheduler allocate 20000 1000
ntp server 10.###.8.8 prefer
ntp server 10.###.231.200 prefer
ntp server 10.###.8.69
ntp server 10.###.1.6 prefer
end
Router 2
Current configuration : 9013 bytes
version 15.3
no service pad
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
hostname R-US-RS-WVPN2
boot-start-marker
boot system flash:c1900-universalk9-mz.SPA.153-1.T1.bin
boot system flash:c1900-universalk9-mz.SPA.151-3.T1.bin
boot-end-marker
logging buffered 64000
logging console critical
enable secret 5 *removed*
no aaa new-model
clock timezone CET 1 0
clock summer-time CET recurring last Sun Mar 2:00 last Sun Oct 3:00
errdisable recovery cause udld
errdisable recovery cause bpduguard
errdisable recovery cause rootguard
errdisable recovery cause pagp-flap
errdisable recovery cause dtp-flap
errdisable recovery cause link-flap
errdisable recovery interval 303
ip cef
ip domain name corp.mann-hummel.com
ip name-server 10.###.8.21
ip name-server 10.###.8.96
ip inspect dns-timeout 90
ip inspect tcp idle-time 60
ip inspect name fw smtp timeout 120
ip inspect name fw ftp timeout 120
ip inspect name fw realaudio
ip inspect name fw tftp timeout 30
ip inspect name fw udp timeout 30
ip inspect name fw tcp timeout 60
ipv6 multicast rpf use-bgp
no ipv6 cef
multilink bundle-name authenticated
crypto pki trustpoint TP-self-signed-3179596086
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3179596086
revocation-check none
rsakeypair TP-self-signed-3179596086
crypto pki certificate chain TP-self-signed-3179596086
certificate self-signed 01
*removed*
        quit
license udi pid CISCO1921/K9 sn FTX153182M2
spanning-tree vlan 229 priority 1###84
redundancy
ip ssh version 2
crypto isakmp policy 10
hash md5
authentication pre-share
lifetime 3600
crypto isakmp key *removed* address 70.###.172.142
crypto isakmp key *removed* address 184.###.###.254
crypto isakmp keepalive 35 11
crypto ipsec transform-set Fay-Ral-WVPN-Tunnel esp-aes esp-md5-hmac
mode tunnel
crypto map vpn 10 ipsec-isakmp
set peer 184.###.###.254
set peer 70.###.172.142
set transform-set Fay-Ral-WVPN-Tunnel
match address gre-tunnel-list
interface Loopback0
ip address 10.###.0.12 255.255.255.255
interface Tunnel2292
description Failover-TimewarnerCable-Ral-Fay-WVPN2
ip address 10.###.99.30 255.255.255.252
no ip redirects
cdp enable
tunnel source 96.###.25.226
tunnel destination 184.###.###.254
crypto map vpn
interface Tunnel2294
description Failover-TimewarnerCable-Ral-Fay-WVPN2
ip address 10.###.99.158 255.255.255.252
no ip redirects
cdp enable
tunnel source 96.###.25.226
tunnel destination 70.###.172.142
crypto map vpn
interface Embedded-Service-Engine0/0
no ip address
shutdown
interface GigabitEthernet0/0
description Fay-Ral WVPN
ip address 96.###.25.226 255.255.255.252
ip access-group Block-Internet in
ip access-group Block-Internet out
duplex auto
speed auto
no cdp enable
crypto map vpn
interface GigabitEthernet0/1
no ip address
shutdown
duplex auto
speed auto
interface GigabitEthernet0/0/0
switchport access vlan 229
no ip address
interface GigabitEthernet0/0/1
switchport access vlan 229
no ip address
interface GigabitEthernet0/0/2
switchport access vlan 229
no ip address
interface GigabitEthernet0/0/3
description PBX Eth2
switchport access vlan 229
no ip address
interface Vlan1
no ip address
shutdown
interface Vlan229
ip address 10.###.229.252 255.255.255.0
ip helper-address 10.###.231.201
standby 229 ip 10.###.229.254
standby 229 preempt
router eigrp 100
network 10.0.0.0
ip forward-protocol nd
no ip http server
ip http secure-server
ip route 70.###.172.142 255.255.255.255 96.###.25.225
ip route 184.###.###.254 255.255.255.255 96.###.25.225
ip route 205.###.96.180 255.255.255.252 66.###.161.125
ip access-list extended Block-Internet
permit esp host 96.###.25.226 host 184.###.###.254
permit esp host 184.###.###.254 host 96.###.25.226
permit udp host 96.###.25.226 host 184.###.###.254 eq isakmp
permit udp host 184.###.###.254 host 96.###.25.226 eq isakmp
permit esp host 96.###.25.226 host 70.###.172.142
permit esp host 70.###.172.142 host 96.###.25.226
permit udp host 96.###.25.226 host 70.###.172.142 eq isakmp
permit udp host 70.###.172.142 host 96.###.25.226 eq isakmp
permit icmp host 96.###.25.226 host 184.###.###.254
permit icmp host 184.###.###.254 host 96.###.25.226
permit icmp host 96.###.25.226 host 70.###.172.142
permit icmp host 70.###.172.142 host 96.###.25.226
permit icmp any any echo-reply
permit icmp any any time-exceeded
permit icmp any any packet-too-big
permit icmp any any traceroute
permit icmp any any unreachable
deny   ip any any
deny   icmp any any
ip access-list extended gre-tunnel-list
permit gre host 96.###.25.226 host 184.###.###.254
permit gre host 96.###.25.226 host 70.###.172.142
logging host 10.100.###.254
logging host 10.100.###.246
snmp-server community P_RW RW
snmp-server community P_RO RO
snmp-server community a RW 20
snmp-server community r RO 20
snmp-server community a RW 20
snmp-server community r RO 20
snmp-server enable traps entity-sensor threshold
snmp-server host 10.100.###.246 public
snmp-server host 10.100.###.254 public
access-list 20 permit 10.###.9.3
access-list 20 permit 10.###.8.16
access-list 20 permit 10.100.###.249
access-list 20 permit 10.100.###.254
access-list 20 permit 10.100.###.246
control-plane
banner motd ^CCCCCC
****************** Warning! Warning! Warning! ********************
This system is restricted to authorized users for business
purposes. Unauthorized access is a violation of the law. This
service may be monitored for administrative and security reasons.
By proceeding, you consent to this monitoring
****************** Warning! Warning! Warning! ********************
^C
line con 0
login local
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
exec-timeout 60 0
password 7 *removed*
login local
transport input ssh
line vty 5 15
exec-timeout 60 0
password 7 *removed*
login local
transport input ssh
scheduler allocate 20000 1000
ntp server 10.###.8.8 prefer
ntp server 10.###.231.200 prefer
ntp server 10.###.8.69
ntp server 10.###.1.6 prefer
end

UPDATE
I have since applied the following config to the tunnel interfaces:
ip mtu 1400
ip tcp adjust-mss 1400
tunnel path-mtu-discovery
This worked and I was able to reset each users PC to default MTU size of 1500, but only until just now. I got a call from a user who explained that he wasn't able to reach some websites, again.
Sure enough, I've just confirmed that all of the users are unable to access the websites any longer.
This is crazy, does anyone have any ideas?

How do you change the MTU size in a Cisco 871?

This 871 is at a remote site and is an ezvpn IPsec client (network extension mode) back to a 3030 headend.
We're having problems with a PC trying to connect through the IPsec tunnel and we think it may be an MTU size problem.
Int F4 is the outside interface.
We are using a virtual-template associated with the crypto ipsec client ezvpn statement.
When I go into any of the 871 interfaces and type 'mtu 1370' it errors out with 'The F4 (or whatever interface) does not allow manual MTU size configuration.
If I type 'ip mtu 1370' on F4 (or vlan1 or virtual-template 1) this is accepted, but when I do a 'show int f 4', it still shows MTU of 1514 - even after a reload.
What is the correct way to set the MTU size in the 871 router - and is it best set on the F4 interface, the vlan, or the virtual-template interface?

Hi
As per the supporting doc Cisco 871 has one want ethernet interface and 2 switch ports.
I feel you are trying to change the mtu under the switch port which may not be possible.
You can refer the below link for more info..
http://www.cisco.com/en/US/products/hw/routers/ps380/products_data_sheet0900aecd8028a976.html
regds

How do you change the mtu size

i recently bought a WRT54G wireless router and i have my desktop directly hooked up (not wireless) and every time i go to play games or surf the net it has some pretty severe lag spikes. i have done some searching and i see something about changing the MTU to a certain amount but i have no idea what that is or how to change it. so if u have any suggestions for me that would be appreciated

connect a computer to the router's port#1 and access the router using http://192.168.1.1 . the default password is admin
on the ui , under the " basic setup " subtab , you have an option to change the MTU size..by default the MTU is disabled...change it to enable and change the MTU size as required...

MTU size

Is there a way to check the current MTU size (as per the document 1500 is the default size) on CUCM?
we have a customer who is using cucm with nice recording server, there is some issue in the recording and as per them they are getting MTU size 1340 from CUCM in their logs.
Please let me know if there is any command to check the current MTU size.

Hi Pawan,
You can try the following command:
admin:show network route detail
It will give you the MTU setting towards the bottom of the output, something like below from my lab server
ff00::/8 dev eth0 table 255 metric 256 expires 20098217sec mtu 1500 advmss 14
HTH
Manish

EIGRP MTU Size Causing Neighbor Flap - Pls help!

I've been reading the post here which is quite good but, I have some outstanding questions I hope someone can help me with?
https://learningnetwork.cisco.com/thread/43100#233367
Essentially, we have a DCI which is an evpl link - layer 2. The evpl connection is terminated with a Cisco 3925 at each location (once it comes out of the provider's Ciena box). It is a dot1g tagged trunk - L2 connection. We are running EIGRP between the two. Before setting up OTV, all link sizes were 1500 MTU...which obviously will not work with OTV....and it didnt!. OTV is running on 7Ks a few hops away from each 3925. So, I went on each and every link - (pain stakingly) and configured MTU size for 9216 - enabling jumboframes at the system level too where applicable. What do you know, OTV started working and i could ping to at least up to 2000 bytes with DF-bit set too! (I didn't try any higher).
Last night, our provider did some 'maintenance' without telling us - which brought the link down. The link was 'down' even after the maintenace was completed. After looking in the logs and seeing this, I suspected it had to do with MTU sizes after quickly googling around.
May 13 12:33:13.698: %DUAL-5-NBRCHANGE: EIGRP-IPv4 10: Neighbor 198.28.132.30 (GigabitEthernet0/0.2) is down: Interface PEER-TERMINATION received
May 13 12:33:13.976: %DUAL-5-NBRCHANGE: EIGRP-IPv4 10: Neighbor 198.28.132.30 (GigabitEthernet0/0.2) is up: new adjacency
May 13 12:33:24.266: %SYS-5-CONFIG_I: Configured from console by izzi on vty0 (10.241.6.12)
May 13 12:34:00.286: %DUAL-5-NBRCHANGE: EIGRP-IPv4 10: Neighbor 198.28.132.30 (GigabitEthernet0/0.2) is down: Interface PEER-TERMINATION received
May 13 12:34:00.616: %DUAL-5-NBRCHANGE: EIGRP-IPv4 10: Neighbor 198.28.132.30 (GigabitEthernet0/0.2) is up: new adjacency
May 13 12:34:46.922: %DUAL-5-NBRCHANGE: EIGRP-IPv4 10: Neighbor 198.28.132.30 (GigabitEthernet0/0.2) is down: Interface PEER-TERMINATION received
May 13 12:34:47.280: %DUAL-5-NBRCHANGE: EIGRP-IPv4 10: Neighbor 198.28.132.30 (GigabitEthernet0/0.2) is up: new adjacency
May 13 12:35:37.364: %DUAL-5-NBRCHANGE: EIGRP-IPv4 10: Neighbor 198.28.132.30 (GigabitEthernet0/0.2) is down: holding time expired
May 13 12:37:29.725: %SYS-5-CONFIG_I: Configured from console by izzi on vty0 (10.241.6.12)
May 13 12:37:47.430: %DUAL-5-NBRCHANGE: EIGRP-IPv4 10: Neighbor 198.28.132.30 (GigabitEthernet0/0.2) is up: new adjacency
May 13 12:39:01.508: %SYS-5-CONFIG_I: Configured from console by izzi on vty0 (10.241.6.12)
May 13 12:39:11.943: %DUAL-5-NBRCHANGE: EIGRP-IPv4 10: Neighbor 198.28.132.30 (GigabitEthernet0/0.2) is down: Interface PEER-TERMINATION received
May 13 12:39:13.973: %DUAL-5-NBRCHANGE: EIGRP-IPv4 10: Neighbor 198.28.132.30 (GigabitEthernet0/0.2) is up: new adjacency
So, I reduced the MTU size back to 1500 and low and behold, adjacency stayed. Let me also say that there weren't any errors on the links too. So, I decided to try and increase the MTU back up to 9216 - OTV started working again and adjancey held - it didnt flap. I thought for a second and decided to bounce the link. Once i did this, EIGRP started flapping again with the same exact behavior. After calling the provider, they claim that their max MTU is only 1522 for our EVPL link. I don't see this being possible since I was able to ping DF-BIT set way above 1522. Maybe I'm missing something. We are going to coordinate with them to increase the MTU size on the link. But why/how did it work to begin with - especially since OTV doesn't support fragmenation....I understand that OTV adjacency can still form since ISIS only needs 14xx something...but I wasn't able to get certain protocals/services like esxi host management to work via OTV until i increased MTU size.
Also, after reading the above article it sounds like EIGRP will 'peer' or decide on MTU of it's update packets? If that's the case, maybe the bouncing of the link allowed EIGRP to negotiate it's packet sizes to above 1500 and that's why if I change the MTU size to above 1500 everything works fine - OTV/2000 byte bf-bit set ping, until I bounce the link? If this is the case, is there anyway to 'force' EIGRP to use 1500 for it's packets for its protocol traffic and allow everything else to use the MTU set on the link?
I would appreciate any help explaining this - hopefully you're not as confused as I was after reading it again!

Did you ever find the root cause and this solution for this? We are experiencing the same issues with our 2 4500 Catalyst and a couple of routers on our inter routing VLAN that we use for only the 2 chassis and a couple of router. MTU is already set at 1500 on the 2 chassis.
005326: Jan 19 11:30:02: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 65001: Neighbor 10.190.254.21 (Vlan990) is down: Peer goodbye received
005327: Jan 19 11:30:05: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 65001: Neighbor 10.190.254.1 (Vlan990) is up: new adjacency
005328: Jan 19 11:30:05: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 65001: Neighbor 10.190.254.21 (Vlan990) is up: new adjacency
005329: Jan 19 11:30:07: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 65001: Neighbor 10.190.254.12 (Vlan990) is down: holding time expired
005330: Jan 19 11:30:27: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 65001: Neighbor 10.190.254.21 (Vlan990) is down: Peer goodbye received
005331: Jan 19 11:30:28: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 65001: Neighbor 10.190.254.11 (Vlan990) is down: Peer goodbye received
005332: Jan 19 11:30:28: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 65001: Neighbor 10.190.254.1 (Vlan990) is down: Peer goodbye received
005333: Jan 19 11:30:30: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 65001: Neighbor 10.190.254.12 (Vlan990) is up: new adjacency
005334: Jan 19 11:30:30: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 65001: Neighbor 10.190.254.11 (Vlan990) is up: new adjacency
005335: Jan 19 11:30:30: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 65001: Neighbor 10.190.254.1 (Vlan990) is up: new adjacency
005336: Jan 19 11:30:32: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 65001: Neighbor 10.190.254.21 (Vlan990) is up: new adjacency

AirPort Wireless Leopard Mac-Mini Setting the MTU size

Does anyone know how to set the MTU size for the wireless ?
Setting the MTU on the Ethernet is easy now that an Advanced>> custom is available for the Ethernet interface. But no such interface exists for the Wireless NIC card. The MAC default = 1500 and for use in PPTP VPNs that causes issues and I would like set the MTU to 1200
PPTP works great with Ethernet set for 1200
also using Fusion and windows VM I can set the MTU size for the wireless and PPTP works great inside the Windows VM
Now if i could just set the MTU for the wireless when operating in normal MAC OS

Open a terminal window, and, assuming your airport interface is called "en0", enter the following command :
+ifconfig en0 mtu 1200+
You'll have to do this each time you restart the system, though, so you might want to setup a startup script yourself or use a third-party utility to do so.

System MTU size on Cisco switch

after setting sys mtu to something other than 1500 on a WS-C3750G-24TS-1U it appears that this setting will stay in effect even if the startup config is erased and the switch is reloaded. My question is. Does this mean that if I need to replace the switch and I just load a saved version of the config and the vlan.dat files. Most likley if I am running a non default MTU this will not be in effect on the new switch.

Hi IP,
if i was understood properly, you have changed the MTU size of cisco 3750 from default 1500 bytes to 1998(eg.) now even after restarting the switch, this MTU size doesn't come to the default value of 1500 bytes & also when you tried put this config & vlan.dat file you wanted to know whether this changed MTU value will be in effect. Answer is NO, bcoz config & vlan.dat doesn't contain this MTU settings. but you can again manually change the MTU size to 1500 bytes & restart the switch.
hope this helps.
rate this post if it is been clarified.

VPN MTU Size

Get this same problem with any Cisco router site-site VPN. Have various customers with 857, 877, 1841, 2811 routers, same problem every time. I'm setting up a VPN with the SDM, link goes up ok, but traffic seems oddly sluggish.
Installing the Cisco VPN client on all PCs seems to resolve the problem - I'm guessing because it sets the MTU size to 1300 - but you always get this error message when testing the VPN from the SDM:
Failure Reason(s)
A ping with data size of this VPN interface MTU size and 'Do not Fragment' bit set to the other end VPN device is failing. This may happen if there is a lesser MTU network which drops the 'Do not fragment' packets.
Recommended Action(s)
1)Contact your ISP/Administrator to resolve this issue. 2)Issue the command 'crypto ipsec df-bit clear' under the VPN interface to avoid packets drop due to fragmentation.
The crypto command doesn't make any difference.
Any ideas gratefully received.

I see the same problem - I have a VPN configured across the Internet between a Cisco 2811 router to a Checkpoint firewall.
Lowering the MTU size on the clients to below the usual 1500 bytes (to below 1300 as specified above) and traffic flows without problem across the VPN. It seems the additional header when going through the tunnel is causing problems.
Is reducing the MTU size on the router interface a possibility? This may cause increased overhead to the router as it has to fragment each packet, and I understand some firewalls may not even allow fragmented packets through. However, changing settings on users desktops / servers is not very scalable, and there will come a time when this isn't possible (old printers??). Is there any specific configuration advice that can be recommended?

SSLv3 and MTU size

Similar Messages

Maybe you are looking for