Community discussions

MikroTik App
 
azzurro
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 92
Joined: Mon Jan 17, 2022 2:55 am

IPsec Site to Site MSS issues edit: WAN MTU issue!

Thu May 04, 2023 6:39 pm

Hi

i had massive issues with TCP retransmits, out of order and dup ACK via all of my site to site VPN tunnels so I created the following rules on the one router which had the issues (ether7 is wan):

chain=forward action=change-mss new-mss=900 passthrough=yes tcp-flags=syn protocol=tcp in-interface=ether7 log=no log-prefix=""
chain=forward action=change-mss new-mss=900 passthrough=yes tcp-flags=syn protocol=tcp out-interface=ether7 log=no log-prefix=""

Since then, all issues have disappeared. I just recently replaced a Fortigate with this router and with the Fortigate I didn't have any issues.

Since I have almost no idea about MSS and the mechanics behind it, can someone please point me in the right direction to answer the following questions?
- why was there no issues with the Fortigate (no special MSS altering config was in place, at least not intentionally)
- why does new-mss=900 help
- what is even going on
- how can I find out which MSS value would be the most ideal one
- is there a better solution?

Currently I have ZERO issues, but I want to understand and optimize.

Thanks!

edit:
turns out something weird is going on with my WAN connection.
ping with 1472 bytes and don't fragment dont get through, ping just plain HANGS. 1473 tells me that it would have to be fragmented and 1471 goes through.
so I disabled MMS clamping and reduced the MTU from 1500/1514 to 1499/1513 and all issues were gone.

WTF? What could take up one byte of the MTU and why does ping just hang instead of telling me that the packet would have to be fragmented?
my topology is as follows, all without vlan tagging:

crs326 -> rb5009 -> chateau LTE12
MTU is set to default everywhere, lte1 interface has 1500 just as all the other interfaces on all the other devices. except the WAN interface of the rb5009, which is now at 1499.

Who is online

Users browsing this forum: Ahrefs [Bot], nescafe2002 and 75 guests