How big is your packet, MTU / MSS and other TCP headaches

There are a lot of misperceptions about packet size and the various mechanisms that allow a packet to flow smoothly along a network path. In order to avoid fragmentation, which will hurt performance and potentially overwhelm some network devices, it is important for both ends to send the appropriate sized packet.

Maximum Transmit Unit

There are a couple of ways that a system determines the size of the path. The one that I think is surrounded by a lot of misconceptions is Path MTU Discovery or PMTUD. The way this works is the system sends out a packet of a certain size and sets the Don’t Fragment bit in the header. If the packet is too large for the network it will get an ICMP message saying so. The system then reduces the size of the packet and tries again until it finds one that works.

Maximum Segment Size

The problem with this is that in practice it generally does not work. PMTUD is hit or miss at best for many reasons. There is another mechanism that is more successful at establishing the appropriate size, Maximum Segment Size or MSS.

When a packet initiates a connection by sending a SYN packet, it also includes a MSS value. Devices along the way look at the header and compare the MSS value in the header to what it knows the MSS to be. If the device has a lower MSS, it will adjust the size down in the header and send the packet on its way. By the time it reaches the destination address it should know the size of the path and it will then return an MSS back to the source address.

If you do encounter MTU problems you can reduce the MSS on your routers by setting the tcp mss-adjust value (on Cisco devices that is). By setting it to an appropriate size you should be able to get your traffic flowing again. Another thing to be aware of is that most systems will cache an MSS value. You may need to restart the networking process on your system or restart your system to clear it.

Identifying MTU Issues

There are certain types of issues that you typically see when you are having an MTU problem. It usually starts with complaints about FTP transfers stalling out, and SCP sessions stopping. The reason is that these services generate large packets. People surfing the Web don’t always notice right away because the file sizes tend to be small and people aren’t always surprised to see images that don’t load.

Another thing to watch out for is DNS zone transfers. Where name resolution may continue to work, the zone transfers won’t and you might not notice this until the time to live on the zone expires. I’ve seen situations where everyone thinks things are working great and then a couple of days later everything stops working.

Another oddity that I often see is that the MTU problem only impacts some machines. For example you might see that Macs will have a problem where Windows boxes don’t. This is because the Windows boxes use a smaller default MTU. Different OSes behave differently in these situations, so your mileage may vary.

Remember that a lot of things can add size onto the packets size. VPNs and GRE tunnels can create a bunch of overhead as your packet proceeds through your network. MTU problems can create a lot of headaches, but if you keep it in mind when rolling out networks you can avoid a lot of problems.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: