TCP MSS clamping – what is it and why do we need it?

This (not so very) short video explains what TCP MSS clamping is and why we’re almost forced to use it on xDSL (PPPoE) and tunnel interfaces (TL&DR summary: because Internet-wide Path MTU Discovery rarely works).

If you liked the video, subscribe to my podcast, or add my podcast to your iTunes.

More details

Some configuration tips

  • TCP MSS clamping can be configured on end hosts or on some routers (on Cisco IOS, use ip tcp adjust-mss interface configuration command).
  • The ip tcp adjust-mss functionality on Cisco IOS is bidirectional – MSS option is adjusted in inbound and outbound TCP SYN packets traversing the interface on which ip tcp adjust-mss is configured.
  • You should configure ip tcp adjust-mss on interfaces with low MTUs. In other words, MSS value configured on an interface should match MTU value of the same interface minus 40 bytes.
  • Configuration examples where ip tcp adjust-mss is configured on Ethernet interface have interesting side effects if the router has more than two interfaces.

10 comments:

  1. And don't forget about clamping IPv6 as well...

    (like my $ISP does)

    ReplyDelete
    Replies
    1. How did you guess the topic of the follow-up post ;)

      Delete
  2. Great video, thanks a lot. I'm glad to know now that adjust-mss is now done in hardware - and it's called MSS Clamping.

    I've never used 'in fast path' as alternative to hardware based forwarding but I like it (cant wait to use it in a team meeting).

    ReplyDelete
    Replies
    1. 'Fast path' might not be equivalent to hardware-based forwarding (depends on the platform). Also, did I really say adjust-mss is done in hardware?

      Delete
    2. Sorry, typo- I meant 'not' done in hardware

      Delete
  3. Mss = mtu - 40 bytes assuming no IP options are used afair?

    ReplyDelete
  4. For PPPoe the common setting is ip tcp adjust-mss 1452.

    Can someone give me a hint to negotiate a PPPoE MTU of >1492 on Cisco IOS. Looks kind of hard to make a Cisco Router ignore the RFC standard MTU...

    I heard some Telco's use PPPoE MTU of 1500 (on a Ethernet link of >1510) in stead of 1492 to workaround the MSS clamping...

    ReplyDelete
    Replies
    1. Have you tried "mtu 1500" and "ip mtu 1500" on Dialer/VirtualAccess interface? Of course it has to match on both ends. You might also need "ppp mtu adaptive".

      Delete
  5. Yes, I tried all these things, but still nu success. The Cisco ASR1000 still keeps saying MRU 1492:

    Oct 15 09:53:10.164: ppp424 PPP LCP: Enter passive mode, state[Stopped]
    Oct 15 09:53:10.185: ppp424 LCP: I CONFREQ [Stopped] id 1 len 14
    Oct 15 09:53:10.185: ppp424 LCP: MRU 1500 (0x010405DC)
    Oct 15 09:53:10.185: ppp424 LCP: MagicNumber 0x2CC6AA92 (0x05062CC6AA92)
    Oct 15 09:53:10.185: ppp424 LCP: O CONFREQ [Stopped] id 1 len 18
    Oct 15 09:53:10.185: ppp424 LCP: MRU 1492 (0x010405D4)
    Oct 15 09:53:10.185: ppp424 LCP: MagicNumber 0x7A4ECDDA (0x05067A4ECDDA)
    Oct 15 09:53:10.186: ppp424 LCP: O CONFACK [Stopped] id 1 len 14
    Oct 15 09:53:10.186: ppp424 LCP: MRU 1500 (0x010405DC)
    Oct 15 09:53:10.186: ppp424 LCP: MagicNumber 0x2CC6AA92 (0x05062CC6AA92)
    Oct 15 09:53:10.186: ppp424 LCP: Event[Receive ConfReq+] State[Stopped to ACKsent]
    Oct 15 09:53:10.206: ppp424 LCP: I CONFACK [ACKsent] id 1 len 18
    Oct 15 09:53:10.206: ppp424 LCP: MRU 1492 (0x010405D4)
    Oct 15 09:53:10.206: ppp424 LCP: MagicNumber 0x7A4ECDDA (0x05067A4ECDDA)
    Oct 15 09:53:10.206: ppp424 LCP: Event[Receive ConfAck] State[ACKsent to Open]

    ReplyDelete
  6. Hi,

    thanks for the great explanation.

    1 question: I usually would prefer setting the "ip tcp adjust-mss" on the LAN Interface of a CE router. Would it also work on the WAN interface when using crypto maps?
    To explain: the CE router has a LAN Interface and 2 WAN Interfaces, one pointing to MPLS, one to Internet (for IPSec). I need to set the adjust-mss for only the IPSec Traffic without reducing the value for MPLS traffic. Will it work, if I only set it on the WAN interface pointing to the internet? (IPSec is done with crypto map).

    ReplyDelete

You don't have to log in to post a comment, but please do provide your real name/URL. Anonymous comments might get deleted.

Ivan Pepelnjak, CCIE#1354, is the chief technology advisor for NIL Data Communications. He has been designing and implementing large-scale data communications networks as well as teaching and writing books about advanced technologies since 1990. See his full profile, contact him or follow @ioshints on Twitter.