TCP MSS Clamping – What Is It and Why Do We Need It?

This (not so very) short video explains what TCP MSS clamping is and why we’re almost forced to use it on xDSL (PPPoE) and tunnel interfaces.

TL&DW summary: because Internet-wide Path MTU Discovery rarely works.

More details

Some configuration tips

  • TCP MSS clamping can be configured on end hosts or on some routers (on Cisco IOS, use ip tcp adjust-mss interface configuration command).
  • The ip tcp adjust-mss functionality on Cisco IOS is bidirectional – MSS option is adjusted in inbound and outbound TCP SYN packets traversing the interface on which ip tcp adjust-mss is configured.
  • You should configure ip tcp adjust-mss on interfaces with low MTUs. In other words, MSS value configured on an interface should match MTU value of the same interface minus 40 bytes.
  • Configuration examples where ip tcp adjust-mss is configured on Ethernet interface have interesting side effects if the router has more than two interfaces.

Recent posts in the same categories

10 comments:

  1. Anonymous 22 January 2013 10:26
    And don't forget about clamping IPv6 as well...

    (like my $ISP does)
    Replies
    1. Ivan Pepelnjak 22 January 2013 10:45
      How did you guess the topic of the follow-up post ;)
  2. Will 22 January 2013 13:30
    Great video, thanks a lot. I'm glad to know now that adjust-mss is now done in hardware - and it's called MSS Clamping.

    I've never used 'in fast path' as alternative to hardware based forwarding but I like it (cant wait to use it in a team meeting).
    Replies
    1. Ivan Pepelnjak 22 January 2013 15:49
      'Fast path' might not be equivalent to hardware-based forwarding (depends on the platform). Also, did I really say adjust-mss is done in hardware?
    2. will 22 January 2013 19:13
      Sorry, typo- I meant 'not' done in hardware
  3. Anonymous 15 February 2013 08:21
    Mss = mtu - 40 bytes assuming no IP options are used afair?
  4. Rinse Kloek 21 February 2013 12:52
    For PPPoe the common setting is ip tcp adjust-mss 1452.

    Can someone give me a hint to negotiate a PPPoE MTU of >1492 on Cisco IOS. Looks kind of hard to make a Cisco Router ignore the RFC standard MTU...

    I heard some Telco's use PPPoE MTU of 1500 (on a Ethernet link of >1510) in stead of 1492 to workaround the MSS clamping...
    Replies
    1. Ivan Pepelnjak 21 February 2013 12:58
      Have you tried "mtu 1500" and "ip mtu 1500" on Dialer/VirtualAccess interface? Of course it has to match on both ends. You might also need "ppp mtu adaptive".
  5. Unknown 15 October 2013 09:54
    Yes, I tried all these things, but still nu success. The Cisco ASR1000 still keeps saying MRU 1492:

    Oct 15 09:53:10.164: ppp424 PPP LCP: Enter passive mode, state[Stopped]
    Oct 15 09:53:10.185: ppp424 LCP: I CONFREQ [Stopped] id 1 len 14
    Oct 15 09:53:10.185: ppp424 LCP: MRU 1500 (0x010405DC)
    Oct 15 09:53:10.185: ppp424 LCP: MagicNumber 0x2CC6AA92 (0x05062CC6AA92)
    Oct 15 09:53:10.185: ppp424 LCP: O CONFREQ [Stopped] id 1 len 18
    Oct 15 09:53:10.185: ppp424 LCP: MRU 1492 (0x010405D4)
    Oct 15 09:53:10.185: ppp424 LCP: MagicNumber 0x7A4ECDDA (0x05067A4ECDDA)
    Oct 15 09:53:10.186: ppp424 LCP: O CONFACK [Stopped] id 1 len 14
    Oct 15 09:53:10.186: ppp424 LCP: MRU 1500 (0x010405DC)
    Oct 15 09:53:10.186: ppp424 LCP: MagicNumber 0x2CC6AA92 (0x05062CC6AA92)
    Oct 15 09:53:10.186: ppp424 LCP: Event[Receive ConfReq+] State[Stopped to ACKsent]
    Oct 15 09:53:10.206: ppp424 LCP: I CONFACK [ACKsent] id 1 len 18
    Oct 15 09:53:10.206: ppp424 LCP: MRU 1492 (0x010405D4)
    Oct 15 09:53:10.206: ppp424 LCP: MagicNumber 0x7A4ECDDA (0x05067A4ECDDA)
    Oct 15 09:53:10.206: ppp424 LCP: Event[Receive ConfAck] State[ACKsent to Open]
  6. Anonymous 26 February 2014 17:42
    Hi,

    thanks for the great explanation.

    1 question: I usually would prefer setting the "ip tcp adjust-mss" on the LAN Interface of a CE router. Would it also work on the WAN interface when using crypto maps?
    To explain: the CE router has a LAN Interface and 2 WAN Interfaces, one pointing to MPLS, one to Internet (for IPSec). I need to set the adjust-mss for only the IPSec Traffic without reducing the value for MPLS traffic. Will it work, if I only set it on the WAN interface pointing to the internet? (IPSec is done with crypto map).
  7. Unknown 26 May 2015 20:42
    Hello Ivan,

    Is it possible to do mss clamping on Juniper MX80?

    Thanks,

    -Konstantin
    Replies
    1. Ivan Pepelnjak 26 May 2015 21:51
      Absolutely no idea. Sorry, I'm really not a Junos person.
  8. amir 15 July 2020 10:25

    where will you need to add the mss clamping on if your client is connecting over a layer 2 vpn tunnel over ipsec?

  9. Ivan Pepelnjak 16 July 2020 01:52

    As James Mickens said: "In a word: Don't".

    If you really really think you need L2VPN then make sure the underlying MTU is big enough to support all the extra headers.

  10. G 25 September 2021 03:27

    1.1.1.1 does DNSSEC if you don't want to trust Google with even more of your data...

Add comment
Home
Sidebar