MTU

Sometime, about two weeks ago, I started having problems with applications which involve VPNing into work, specifically with Sametime.  By issuing the following command, these problems seem to have gone away:

sudo ifconfig ath0 mtu 1415

I hate it when that happens.

 The funny thing is that the Mac OS X Network Preference Pane allows you to set MTU for Ethernet connections graphically, but not VPN.

Posted by Guan Yang at
I’m surprised you didn’t have to do this sooner, I had to make this change months ago. What ISP?

Posted by James Snell at

There are a number of parts to this problem:

To make things more complicated, with some VPN software you end up having to pick an MTU manually such that the maximum packet size plus the VPN headers plus the TCP/IP headers will fit inside an ADSL frame, which is not easy to do.

As far as I can tell, the root problem is the DSL network or modem accepting packets that it can not possibly transmit without an error.

Posted by James Henstridge at

A problem that I’ve seen is firewalls dropping incoming ICMP type 3/code 4 errors.  This breaks Path MTU discovery, so the IPSEC headers push the packet size over the maximum MTU, and the packets get lost silently.

I found that our ADSL router dropped these ICMP errors by default.

Posted by David Powell at

BTW - Robert Graham’s excellent Firewall Forensics FAQ describes MTU problems well:
[link]

Or, at least it did do, until it dropped off the web some time ago.  It is still available via archive.org though.

Posted by David Powell at

I’ve now seen an alternate suggestion:

iptables -A INPUT  -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1400 
iptables -A OUTPUT -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1400
Posted by Sam Ruby at

Add your comment












Nav Bar