Set MTU in VPN environment in case of throughput issues
Description
This article explains how to set the MTU value on the default WAN interface whenever the VPNs are experiencing throughput (or packet retransmission) issues.
Note: Sometimes the article How to change the MTU size is enough, but other times you may experience further issues so you may find these information useful.
Cause
Encapsulation Overhead
When one protocol's packets or frames get encapsulated within another protocol there is an overall increase in the frame size. The encapsulation that takes place adds protocol header overhead, and thus the systems sending 1500-byte packets across the network cannot be sent in-tack to the other side. The amount of bytes of protocol overhead vary based on the encapsulation type. Following is a list of protocol and encapsulation overhead added to the frame.
- Any time you add another outer IPv4 header adds 20 bytes.
- IPSec encryption performed by the DMVPN adds 73 bytes for ESP-AES-256 and ESP-SHA-HMAC overhead (overhead depends on transport or tunnel mode and the encryption/authentication algorithm and HMAC).
- MPLS adds 4 bytes for each label in the stack.
- IEEE 802.1Q tag adds 4 bytes (Q-in-Q would add 8 bytes).
Resolution
As per How to change the MTU size , you should set the MTU size according to.
- your ISP's instructions
- some tests you have to run.
However if you're running VPN traffic in your network and you're experiencing throughput issues, you may try following the instructions below.
Ping -f -l #
- MTU Test in a non-VPN Environment.
Example: Ping -f -l 1464 8.8.8.8
If the ping is successful (no packet loss) at 1464 payload size, the standard MTU will be "1464 (payload size) + 20 (IP Header) + 8 (ICMP Header)" = 1492.
1464 Max packet size from Ping Test
+ 28 IP and ICMP headers
1492 is your optimum MTU Setting
If the PING passes successfully, you will get a reply from the IP address specified. If the packet was too large you will get the message: "Packet needs to be fragmented but DF set" (with 100% packet LOSS). Reduce the buffer size until you are successfully connected.
NOTE: Add 28 to that number, and the result will be the value being set to SonicWall "Interface MTU".
- MTU Test in a VPN Environment experiencing throughput issues
EXAMPLE: Ping -f -l 1464 8.8.8.8
If the ping is successful (no packet loss) at 1464 payload size, the MTU should be "1464 (payload size) + 20 (IP Header) + 8 (ICMP Header)" = 1492
1464 Max packet size from Ping Test
+ 28 IP and ICMP headers
1492 should be your optimum MTU Setting
NOTE: The MTU size does not account for the IPSEC overhead.
So we need to include the IPSec Header according to the following table
| IPSec Transform Set | IPSec Overhead, Maximum Bytes |
esp-AES-(256 or 192 or 128) esp-SHA-hmac or md5 | 73 |
esp-AES (256 or 192 or 128) | 61 |
esp-3des, esp-DES | 45 |
esp-(DES or 3des) esp-SHA-hmac or md5 | 57 |
esp-null esp-SHA-hmac or md5 | 45 |
ah-SHA-hmac or md5 | 44 |
The MTU Size will be
1492 Non-VPN traffic MTU Size
- X IPSec Overhead
X Definive MTU Size
EXAMPLE:
1492 Non-VPN traffic MTU Size
- 73 IPSec Overhead
1419 Definive MTU Size
To set up the new MTU value, you can go under Network | Interfaces, select the WAN interface from which the VPN traffic is going through and:
- Navigate to Advanced tab.
- Change the MTU value with the one obtained with the previous test.
- Click OK.