TCP Fragmentation Causes Slow NMS Login

Publication Date:  2015-07-02 Views:  190 Downloads:  0
Issue Description
Network Topology:



Symptom:

The login to server 1 is slow when the network management software on the PC is used for the login. The login lasts one or two minutes. After the login, the query is also slow. However, when the same client PC is used to access server 2, the login speed is normal. When another PC on the same network segment as the previous PC is used to access server 1, no problem occurs.
Handling Process
When another PC on the same network segment as the previous PC is used to access server 1, no problem occurs. This phenomenon indicates that server 1 functions properly. When the same PC is used to access server 2, no problem occurs. This phenomenon indicates that the PC functions properly as well. Then the problem might be occurred on the link. Capture packets on the PC. The packet statistics are as follows:



The captured packets contain a fragment which is the first slice of a packet. Usually a fragmented packet contains several slices, but there is only one. This phenomenon indicates that follow-up fragments are discarded. In most cases, TCP packets are not fragmented, because in TCP three-way handshake, an MSS value is negotiated to determine the size of follow-up TCP data packets. The MSS vale can be adjusted by intermediate devices. If the MTU value of an interface on the device that sends SYN or SYN-ACK packets is smaller than MSS+40, the device changes the MSS value for the SYN or SYN-ACK packets to prevent fragmentation of follow-up packets. The captured packets contain a fragment, which indicates that a device on the network can fragment packets but cannot change the MSS value. This might be the cause.

After confirmation, an interface on an intermediate Cisco router has set an MTU value. Display the SYN and SYN-ACK packets among all captured packets. All MSS values are 1460. This indicates that the Cisco router does not adjust the MSS value.

The USG can use the firewall tcp-mss xxx command to change the MSS value for the forwarded SYN or SYN-ACK packets. Therefore, run the firewall tcp-mss 1400 command on the USG and conduct the login test again. The login speed is normal.
Root Cause
A Cisco router on the network sets an MTU value, but the router cannot change the MSS value for transmitted SYN or SYN-ACK packets. Therefore, TCP packets are fragmented, and follow-up fragments are discarded, which causes improper NMS server login.
Solution
Run the firewall tcp-mss 1400 command on the USG. 

END