Skip to content

Different MTU Settings on a Cisco 877 Router

I have a remote site on an ADSL connection using a Cisco 877 router. There’s an IPSec VPN back to my location. They connection speed is very good:

Download Speed (kbps): 23410
Upload Speed (kbps): 1017

The ADSL router was configured with pretty typical MTU and MSS settings (probably copied off the Internet):

interface Vlan1
ip mtu 1452
ip flow ingress
ip tcp adjust-mss 1452

interface Dialer0
ip mtu 1452

The remote site has a VMware ESXi server. I couldn’t remotely connect to the ESXi server using the vSphere client. I could connect using ssh. However, if I tried running any command with a reasonable size output (e.g. ps) the session would hang and then time out. I could connect to a remote server using RDP, but it was very slow to connect (once connected the RDP session was fine).

I had no problems connecting to the ESXi server from the VMware session.

I tried running an FTP on the remote server and copying a file to my location with the following result:
ftp: 149504 bytes sent in 28.89Seconds 5.17Kbytes/sec.

That’s pretty slow for a connection with almost 1Mbps upload speed.

So, I started playing around with MTU and MSS (in the following tests MSS was either set to the same value as MTU or 40 bytes less):
mtu 1200
ftp: 149504 bytes sent in 1.58Seconds 94.74Kbytes/sec.

mtu 1300
ftp: 149504 bytes sent in 2.84Seconds 52.62Kbytes/sec.

I finally settled on the following:

interface Vlan1
ip mtu 1242
ip flow ingress
ip tcp adjust-mss 1200

interface Dialer0
ip mtu 1452

94Kbytes/sec is pretty reasonable for a 1Mb link with round trip latency of around 83ms.

Then I started wondering if my ACL was blocking Path MTU Discovery. So, I added the following to the inbound ACL on the 877 (as per http://www.cisco.com/en/US/tech/tk827/tk369/technologies_white_paper09186a00800d6979.shtml) and changed the MTU values back to original:

permit icmp any any unreachable
permit icmp any any time-exceeded

However, there were no hits and it didn’t seem to help at all:
ftp: 149504 bytes sent in 28.73Seconds 5.20Kbytes/sec.

Then after reading a bit more I wondered what would happen if I took all the MTU and MSS settings off:
ftp: 149504 bytes sent in 3.05Seconds 49.08Kbytes/sec.

Hmm. Much better than the original settings, although not as good as MTU 1200. Perhaps the link might be under a bit of load, let’s try again:
ftp: 149504 bytes sent in 1.52Seconds 98.68Kbytes/sec.

And a third time:
ftp: 149504 bytes sent in 1.52Seconds 98.68Kbytes/sec.

So I tried a fourth and fifth time (both had the same result):
ftp: 149504 bytes sent in 1.50Seconds 99.67Kbytes/sec.

So, I thought, maybe the router or computer is remembering the session and MTU (if it’s doing MTU discovery). So I disconnected the FTP sessions and reconnected:
ftp: 149504 bytes sent in 1.50Seconds 99.74Kbytes/sec.

Amazing. So the tip? Perhaps the best way to handle MTU is to not worry about it.

This was written by admin. Posted on Tuesday, April 20, 2010, at 6:50 pm. Filed under Cisco, IOS, IPSec, Router. Bookmark the permalink. Follow comments here with the RSS feed. Post a comment or leave a trackback.

Post a Comment

Your email is never published nor shared. Required fields are marked *
*
*