MTU defines Maximum Transmission Unit. Firewalls blocking ICMP disables IP’s dynamic Path MTU Discovery causing fragmentation at VPN, L2TP tunnels impacting performance. Gateways are not able to respect native DF bit flags (Don’t Fragment) because they are isolated on another OSI Model stack interface. The performance hit comes from what I call the “two for one blue light packet special” caused by the overhead of the tunnel header forcing two packets across the tunnel for each originating packet. That is why most VPN Client software adjust their MTU to 1300 so that does not occur – but what if you go through multiple tunnels? Then it becomes a manual hide and seek process to arrive at an MTU that works. There is of course much more to this than meets the eye so be careful in setting router and gateway MTU without fully thinking through the theory, analyzing the results with an analyzer and setting up network monitoring signature triggers to watch for problems in the future. The best way to approach the topic is to make it as automatic as possible through creatively setting your router MTU setting on the interface that goes to your gateway or Internet.
Transcript for this Video
MTU Maximum Transmission Unit is the size of the datalink layer payload of a packet. If it is not allowed to automatically perform path MTU discovery using ICMP Internet Control Message Protocol packets due to security filters on firewalls, then a logon and connect can be successful, but a data transfer will fail when a larger packet is sent. Or performance will suffer across high error prone links because a VPN tunnel will create two packets for every one packet to overcome the MTU mismatch exposing double the packets to packet loss. If one packet is lost both packets will have to be restransmitted by a higher layer protocol like TCP.
Here’s another example of a problem that we’ve found that is kind of layer 3 related, VPN and L2TP tunnels. A VPN and a L2TP tunnel are there, and they’re basically layer 7 services. Where it takes in a layer 3 packet, repackages it, and then puts it in another layer 3 environment. The don’t fragment bit, which we use in IP at layer 3, to tell routers not to break up packets, that is not respected when it gets to a layer 7 device acting as a VPN concentrator or an L2TP tunnel. Those are actually layer 7 type devices which do tunneling for us or some other functioning. If you want to call it something other than layer 7, it’s an application, so that’s why I call it layer 7, you could call it layer 4. In any event, it’s a tunnel going through your network.
When your packet leaves your station, it’s 1,500 bytes at maximum, and that’s called a maximum transmission unit, or MTU. That is the size of the payload at the datalink layer that the packet exiting your machine goes out. Now that 1,500 byte packet, as you can see here, travels out of the client, goes into your network, and it hits a tunnel device. Like let’s say an L2TP tunnel. That L2PT tunnel then takes that 1,500 byte packet, and it has to put that 1,500 byte packet, but it still has than 1,500 byte MTU. It can’t make a packet larger than 1,500 bytes. What it does is it takes your 1,500 byte packet, and it breaks it up into two packets, a large packet and then a smaller packet, and then puts the tunnel overhead on there, so that it can go across the network. At the other end of the tunnel, the tunnel then collapses that packet and lets go of your original packet pretty much the way you let it go outside of your particular machine. Again, we start out with a 1,500, we go in, we have a 1,400 and a 100, and then it comes back out the other side of the tunnel, and it comes back to 1,500.
What happens is, you’re getting the 2-for-1 Blue Light Special here. You’re getting two for one. You’re getting two packets on the high packet loss, error prone internet, and consequently the effect of that is that you’re going to lose more packets. And if one of those fragments, or those little segments are lost, you’re going to have to re-transmit both of them, and those intervening device, being layer 3, are not performing end-to-end retransmission. So it will rely on your upper layers on the two ends, typically at layer 4 or layer 7, to retransmit those packets for you, and that can be very costly to your performance.
One of the things you can do, and by the way this happens from an internal network where you’re sending a 1,500 byte MTU packet over to a VPN concentrator. That VPN concentrator is then having to put VPN overhead on top of that 1,500 byte, and it still has to live with the MTU on the next network of 1,500, so it has to break your packets up into two segments. When it does that, obviously, you still have this 2-for-1 overhead special. In some cases you can end up with packets that get lost, and then consequently your performance plummets when you need it most. When does your device send a 1,500 byte packet? It send a 1,500 byte packet when it’s got a lot of data to send. When you’re doing an FPT, when you’re doing something that is a large data transfer. When you really need your network to work, that’s when you start getting the 2-for-1 special. When you’re doing that FTP download, or you’re looking at a big website, or you’re looking at a webcast. That’s when these problems are going to occur to you.
In preparation for that, what we do is lower our MTU. There are several methods of lowering our MTU, so that when our packet, which is at maximum 1,500, reaches an L2TP tunnel or it reaches a VPN concentrator, it’s already smaller. So that you get a 1-for-1 packet ratio. Most of your VPN clients today actually cut your MTU on all of your communications down to 1,300 bytes, so that when it gets to the VPN concentrator it will automatically not have to get the 2-for-1 Blue Light Special and expose your packets, two packets for every one packet for potential packet loss, on the internet.
There are several ways of accomplishing that. While all this stuff works automatically, and the MTU mismatches will get fixed, provided you are allowing the ICMP, internet control message protocol packets, to get from the device and go back to the client or back to the server who sent the packet. Unfortunately today we have firewalls, and our firewalls are blocking the necessary ICMP path discovery packets that normally would manage and make sure you don’t get the 2-for-1 Blue Light Special on your own. But because of security constraints, we’ve turned off ICMP, and so consequently we have to do what is called end-to-end MTU management of our systems. It would behoove you to get an analyzer out and put it at these various locations and find out if you are, indeed, using ICMP destination unreachable path MTU discovery mechanisms effectively, or if, in fact, your firewalls are dropping those, and understand how this process is working in your particular environment.
So what I recommend is out here on these routers on the edge, if you do have and want this to be automatic, you can take your clients which are out here on your internal network, take your first router and set the MTU where you do have ICMP destination unreachable path MTU discovery packets where those are allowed inside your normal network, where they are not blocked by a firewall. And what we can do is lower the MTU on the inside link next to the firewall on the router, and then all this will be automatic. By lowering your path MTU on this particular router interface down to 1,300, essentially every packet that comes through there will automatically get its MTU lowered by path MTU discovery. Then your packets will flow through onto your VPN or onto your L2TP tunnels already smaller to go through that trip and get the expanded headers, OK?
This is one of the things you might want to look for and might want to understand in your environment so you know how things are working and if you were ever audited by a technical group, you would have the answer appropriate to the question for security purposes or what have you. You need to know about path MTU discovery and at every single point along the path what is going on with your MTU size. Thank you very much for listening, and we’ll have more.