TCPIP MTU settings

Eric Henriksen eric at redcreek.com
Mon Jul 26 22:53:28 EDT 1999


To any RedCreek partners out there, here's the official response from CS...

----- Original Message -----
From: philip bridge <lists at bridgenet.ch>
To: <vpn at listserv.secnetgroup.com>
Sent: Friday, July 23, 1999 4:03 AM
Subject: Re: TCPIP MTU settings


> Unfortunatly, MTU discovery is often broken by OSes that don't do path
> discovery properly, and firewalls that block all ICMP messages. And you
> usually can't change the MTU of an ethernet LAN.
>
> The same problem occurs in VPNs based on GRE or MPLS tunnels.
>
> If you have both host ends under your control, you have to make sure that
> the ends can do proper path discovery and discover that the effective MTU
> of the path is now 1500 minus encapsulation header.
>
> There is some documentation on the Internet concerning broken MTU path
> discovery with NT, and how to fix it. I don't have those references to
hand
> now, but a search will find them.
>
> (Of course, if you don't have both ends under your control, this is a real
> problem. There is no real solution for the case where you want to gice a
> VPN access to the Internet, because there are a lot of internet sites with
> broken MTU path discovery)
>
> Phil
>
> At 11:19 19.07.99 -0400, Robert Moskowitz wrote:
> >At 09:36 AM 7/19/99 +0100, guy.raymakers at europe.eds.com wrote:
> >>
> >>The remote network (offices) have a NT server and an IPsec enabled
> router. The
> >>router encapsulates the TCP/IP packets into IPsec packets.  When using
the
> >>default tcpip MTU ( = 1500), on the NT server,  we get problems when
doing
> >file
> >>transfers. When we lower the tcpip MTU to 1444 we don't have these
problems.
> >>The remote office ISP is a different one then our ISP.
> >>
> >THere is extensive discussion in the IPsec specification about potential
> >MTU issues (MObileIP does likewise).  You have two choices:  MTU
discovery,
> >or static reduction of MTU to get through the tunnel.
> >
> >
> >Robert Moskowitz
> >ICSA, Inc.
> > (248) 968-9809
> >Fax: (248) 968-2824
> >rgm at icsa.net
> >
> >There's no limit to what can be accomplished
> >if it doesn't matter who gets the credit
> >
> >
> >****************************************************************
> >TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com
> >
> >The VPN FAQ (under construction) is available at
> >http://kubarb.phsx.ukans.edu/~tbird/FAQ.html
> >
> >We are currently experiencing "unsubscribe" difficulties.  If you
> >wish to unsubscribe, please send a message containing the single line
> >"unsubscribe vpn your-e-mail-address" to
owner-vpn at listserv.secnetgroup.com
> >
> >****************************************************************
> >
> ______________________________________________________________
> Philip Bridge                                 www.bridgenet.ch
> ______________________________________________________________
> It might look like I'm doing nothing, but at the cellular
> level I'm really quite busy...
>
> ****************************************************************
> TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com
>
> The VPN FAQ (under construction) is available at
> http://kubarb.phsx.ukans.edu/~tbird/FAQ.html
>
> We are currently experiencing "unsubscribe" difficulties.  If you
> wish to unsubscribe, please send a message containing the single line
> "unsubscribe vpn your-e-mail-address" to
owner-vpn at listserv.secnetgroup.com
>
> ****************************************************************
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Flash-0021.doc
Type: application/msword
Size: 20480 bytes
Desc: not available
Url : http://lists.shmoo.com/pipermail/vpn/attachments/19990726/2a9b2a94/attachment.doc 


More information about the VPN mailing list