blog.wansend.com

May 17, 2007

Using Ping to find the largest MTU along a VPN route

Filed under: Cisco — wansend @ 11:24 pm

When a wide area network uses a VPN, additional overhead will cause packet fragmentation that can slow the network down and cause Microsoft Active Directory to grind to a halt. You can use Ping.exe and the [x+28=MTU] rule to determine the effective MTU that should be configured on the Cisco Router. MTU is the Maximum Transmittal Unit packet size. For this exercise [10.1.1.1] is the remote IP of another Microsoft box that we are going to test pings to.

1. From a Microsoft box, ping 10.1.1.1 – to make sure it is up across the VPN.

2. ping 10.1.1.1 -f -l 1473     This will show you what a failed fragment ping looks like. 1473+28=1501 which automatically gets fragmented because it is greater than 1500, the default MTU.

3. Ping 10.1.1.1 -f -l 1449     This failed for me, meaning an MTU of 1449+28=1477 wasn’t small enough.

4. Ping 10.1.1.1 -f -l 1448     This pinged successfully for me, meaning an MTU of 1448+28=1476 didn’t get fragmented – which is good. I’m looking for the largest number I can get that doesn’t fail. Now I know what MTU to configure on my VPN routers – 1476.

5. Now go to the Cisco router configuration terminal mode for the VPN interface and add the line “ip mtu 1476″ or whatever number you come up with in the last step. You shouldn’t have to add the line to the Ethernet interfaces because that would squelch all of the traffic, even browser traffic that doesn’t use the VPN.

When you hold down the MTU anywhere along the line of the router path, the routers will advertise the smallest MTU as part of the TCP/UDP negotiation process. You’d think MTU discovery would be automatic, but it is only half-automatic. Still this is better than using Regedit on every computer to tweek the MTU downward.

About these ads

1 Comment »

  1. […] your son’s SBS. If that works, determine what the MTU is by following this website’s suggestions: http://wansend.wordpress.com/2007/05…g-a-vpn-route/ If it is lower than 1492, there will be a problem, because Ldap has problems under 1500. ALso, if […]

    Pingback by xp pro in remote AD | keyongtech — January 18, 2009 @ 5:35 pm | Reply


RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

The Rubric Theme. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: