Set MTU in VPN environment in case of throughput issues

02/13/2024 1,411 People found this article helpful 481,638 Views

Description

This article explains how to set the MTU value on the default WAN interface whenever the VPNs are experiencing throughput (or packet retransmission) issues.

Note: Sometimes the article How to change the MTU size is enough, but other times you may experience further issues so you may find these information useful.

Cause

Encapsulation Overhead

When one protocol's packets or frames get encapsulated within another protocol there is an overall increase in the frame size. The encapsulation that takes place adds protocol header overhead, and thus the systems sending 1500-byte packets across the network cannot be sent in-tack to the other side. The amount of bytes of protocol overhead vary based on the encapsulation type. Following is a list of protocol and encapsulation overhead added to the frame.

Any time you add another outer IPv4 header adds 20 bytes.
IPSec encryption performed by the DMVPN adds 73 bytes for ESP-AES-256 and ESP-SHA-HMAC overhead (overhead depends on transport or tunnel mode and the encryption/authentication algorithm and HMAC).
MPLS adds 4 bytes for each label in the stack.
IEEE 802.1Q tag adds 4 bytes (Q-in-Q would add 8 bytes).

Resolution

As per How to change the MTU size , you should set the MTU size according to.

your ISP's instructions
some tests you have to run.

However if you're running VPN traffic in your network and you're experiencing throughput issues, you may try following the instructions below.

Ping -f -l #

MTU Test in a non-VPN Environment.

Example: Ping -f -l 1464 8.8.8.8

If the ping is successful (no packet loss) at 1464 payload size, the standard MTU will be "1464 (payload size) + 20 (IP Header) + 8 (ICMP Header)" = 1492.

1464 Max packet size from Ping Test
+ 28 IP and ICMP headers
1492 is your optimum MTU Setting

If the PING passes successfully, you will get a reply from the IP address specified. If the packet was too large you will get the message: "Packet needs to be fragmented but DF set" (with 100% packet LOSS). Reduce the buffer size until you are successfully connected.

NOTE: Add 28 to that number, and the result will be the value being set to SonicWall "Interface MTU".

MTU Test in a VPN Environment experiencing throughput issues

EXAMPLE: Ping -f -l 1464 8.8.8.8

If the ping is successful (no packet loss) at 1464 payload size, the MTU should be "1464 (payload size) + 20 (IP Header) + 8 (ICMP Header)" = 1492

1464 Max packet size from Ping Test
+ 28 IP and ICMP headers
1492 should be your optimum MTU Setting

NOTE: The MTU size does not account for the IPSEC overhead.

So we need to include the IPSec Header according to the following table

IPSec Transform Set	IPSec Overhead, Maximum Bytes
esp-AES-(256 or 192 or 128) esp-SHA-hmac or md5	73
esp-AES (256 or 192 or 128)	61
esp-3des, esp-DES	45
esp-(DES or 3des) esp-SHA-hmac or md5	57
esp-null esp-SHA-hmac or md5	45
ah-SHA-hmac or md5	44

The MTU Size will be

1492 Non-VPN traffic MTU Size
- X IPSec Overhead

X Definive MTU Size

EXAMPLE:

1492 Non-VPN traffic MTU Size
- 73 IPSec Overhead
1419 Definive MTU Size

To set up the new MTU value, you can go under Network | Interfaces, select the WAN interface from which the VPN traffic is going through and:

Navigate to Advanced tab.
Change the MTU value with the one obtained with the previous test.
Click OK.

Not Finding Your Answers?

ASK THE COMMUNITY

Was This Article Helpful?

YES NO

Set MTU in VPN environment in case of throughput issues

Description

Cause

Resolution

Related Articles

Categories

Not Finding Your Answers?

Was This Article Helpful?

Article Helpful Form

Article Not Helpful Form

Follow Us

Subscribe to newsletter

Stay In Touch