Community discussions

 
msatter
Forum Guru
Forum Guru
Topic Author
Posts: 1241
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Still struggling with MSS/MTU IKEv2

Wed Oct 09, 2019 2:36 am

Spending many hours if not days on this I am seeing the ICMP type 3, code 4 packet but it is not shown in connection tracking nor is going to the local network where the client is.

I am running a speedtest.net and downloading is fine but uploading does not start. I am not blocking the ICMP traffic but it looks is goes back into the IKEv2 tunnel instead of going to client.

The log shows this:
icmp.JPG
You do not have the required permissions to view the files attached to this post.
Two RB760iGS (hEX S) in series. One does PPPoE and both do IKEv2.
Running:
RouterOS 6.46Beta / Winbox 3.20 / MikroTik APP 1.3.4
Having an Android device, use https://github.com/M66B/NetGuard/releases (no root required)
 
msatter
Forum Guru
Forum Guru
Topic Author
Posts: 1241
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Still struggling with MSS/MTU IKEv2

Thu Oct 10, 2019 11:37 am

I can see the ICMP packets in RAW, Mangle and Filter but not in NAT. I tried with taking away in Mangle the connection mark, needed for being directed into the IKEv2 connection, but that did not make those packets visible in NAT nor did solve the problem.

I still need in a Mangle line to set a hard fixed the MTU of 1382 (not using IPv6 anymore) because clamp to pmtu does not work.
Two RB760iGS (hEX S) in series. One does PPPoE and both do IKEv2.
Running:
RouterOS 6.46Beta / Winbox 3.20 / MikroTik APP 1.3.4
Having an Android device, use https://github.com/M66B/NetGuard/releases (no root required)
 
msatter
Forum Guru
Forum Guru
Topic Author
Posts: 1241
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Still struggling with MSS/MTU IKEv2

Fri Oct 11, 2019 4:56 pm

Hmmmm it is becoming even stranger.

I tried a different setting and only look at packets that have as TCP flag SYNC and not ACK and the upload started with a delay and was at 40% of the expected speed. This was with clamp to pmtu as action which did not work before.

To test I revered the !ack TCP flag and it still worked so I disabled the whole Change MSS line and it still worked however the speed was still low.

So I hooked up Wireshark to see what is happening. On download it finds the correct MTU of 1382 but on upload lowered the MTU to 536 what explains the low upload speed.

Now I changed back to a hard MTU of 1382 but upload is still stuck on a MTU of 536.

Going now to restart the IKEv2 connection to see if that MTU of 536 is being released. This did not work so I am going to restart the router after generating a supout.rif. A router restart did also not help and because of that low MTU of 536 I could also not post in this forum anymore and it was trowing me a connection error.

I resolved it by restoring a backup from two days ago and tested then the upload speed which was as expected. Then I restored the backup where I had the low MTU problem and I changed the MSS line to what I used before. And tested it again and the upload speed was again as expected.

Update: supout.rif file sent to Mikrotik by e-mail.
Two RB760iGS (hEX S) in series. One does PPPoE and both do IKEv2.
Running:
RouterOS 6.46Beta / Winbox 3.20 / MikroTik APP 1.3.4
Having an Android device, use https://github.com/M66B/NetGuard/releases (no root required)

Who is online

Users browsing this forum: No registered users and 100 guests