Applies to platform: All
Last updated: 30th August 2013
This lesson guides you in troubleshooting MTU problems you may experience on your network. It presents a short introduction to MTU size then delves into useful tools that can help you identify the correct MTU size for the network.
What is MTU size?
Represents the largest size (in bytes) IP packets can have and be transmitted over an interface without being fragmented. If the packets size is larger than the value of the supported MTU on that network, the IP packet will go through IP fragmentation procedures.
The majority of the ISPs use a value of 1500 bytes for the MTU, but this is not always the case.
Configuring the MTU can improve or worsen the efficiency of data transmission. The standard MTU for IP packets is 1500 bytes. Some Internet Service Providers modify their network MTU to better suit their needs.
For example, high MTU means that there are fewer packets for a fixed amount of data, this correlates with less protocol overhead (faster goodput transmission) but can induce large delays on slower links, because the large packet is occupying the transmission medium for longer periods of time.
If your ISP uses a different MTU size, you can encounter odd behaviour of your network connection, more specifically files which will not download, although you can visit some webpages, connections that do not work at all, etc.
First you need to discover your appliances MTU size. You can accomplish this by issuing the following command:
root@endian:~# ip link show
The output of this command will be similar to the one below. Please look for the interface associated with your uplink and check the MTU size.
2: eth0: mtu 1500 qdisc pfifo_fast state DOWN qlen 1000
link/ether 89:d2:24:8f:ee:a6 brd ff:ff:ff:ff:ff:ff
If this MTU size is not compliant with your ISP requirements, please consider following the next steps and try to find the suitable value for it.
root@endian:~# ping -c1 -M do -s 1460 <host>
(please refer to the ping(8) manpage for more info).
Here, 1460 is the size in bytes of the ICMP payload. This payload will be summed with the ICMP header (8 bytes) and the IP header (20 bytes), which totals to an amount of 1488 bytes, for the IP packet, sent to the Data Link layer. You can observe in the example below the payload value and in the brackets we have the total size of the IP packet.
PING <host> 1460(1488) bytes of data.
1468 bytes from <host> icmp_seq=1 ttl=49 time=75.2 ms
In the above example, we have a successful ICMP reply from the host, this means that the IP packet hasn't suffered fragmentation along its path.
PING <host> (126.96.36.199) 1460(1488) bytes of data.
From 192.168.0.1 icmp_seq=0 Frag needed and DF set (mtu = 1500)
If the packet needs fragmentation, an error like the one above will be received, because the command was issued with the "-M do" option, which prohibits fragmentation of the packet.
You can probe the network with different IP packet sizes until you find the correct MTU size. It is easier to start from a lower value and gradually increase it until you receive ICMP replies.
Please keep in mind, that the value you pass to the command as argument is not the correct size of the MTU, but the one found in brackets.
MTU troubleshooting for OpenVPN
While several problems with VPN connections can be easily spotted just by looking at the configuration files, one subtle source of connection problems is a wrong value of the MTU size. The Endian UTM Appliance sets a limit of 1450 bytes to the size of the VPN’s MTU, to prevent problems with the common MTU values used by the ISPs, which is 1500 bytes. However, if the ISP is using a lower MTU value, you can encounter the same connection problems or abnormal behaviour as stated earlier. This value can be easily modified by accessing the Endian UTM Appliance from the CLI and following these guidelines:
- Write down the MTU size used by the ISP (see above).
- Login to the CLI, either from a shell or from Menubar > System > Web Console.
- Edit the openvpn template with an editor of choice:
root@endian:~# nano /etc/openvpn/openvpn.conf.tmpl
- Search for the string mssfix 1450.
- Replace 1450 with a value lower then the one discovered at point 1, for example 1400.
- Restart openvpn by calling:
root@endian:~# jobcontrol restart openvpnjob --force
You can repeate these steps until you find the suitable value of the MTU.