After MPLS VPN Is Deployed on the AR, Users Fail to Access Web Pages Due to Improper TCP MSS Value

Publication Date:  2015-11-02 Views:  636 Downloads:  0
Issue Description
As shown in Figure 1-1, CE_1 and CE_2 connect the enterprise branch, CE_3 and CE_4 connect the enterprise headquarters, CE_1 and CE_3 belong to vpna, and CE_2 and CE_4 belong to vpnb. After the enterprise deploys MPLS VPN, the PC of the enterprise branch can ping the IP address and domain name of the server at the headquarters. However, the PC cannot access web pages through HTTP. The network neighbor and file sharing services on the PC and server are normal.

Figure 1-1 MPLS VPN



Device and version: AR2240 V200R005C20SPC200
Handling Process
1. Check whether the link between the PC and server is normal.

Ping the IP address and domain name of the server on the PC. For example, if the IP address of the server is 10.1.1.1, run the ping 10.1.1.1 command. If the ping operation succeeds, use the tracert tool to trace the path. If the path is normal, the link between the PC and server is normal.

2. Check the device configuration, neighbor status, and routing table. The result shows that they are normal.

3. Check whether the MTU value is set properly.

Ping the IP address of the server on the PC and set the DF bit to 0 (indicating that packets are not fragmented). After the ping operation is performed several times, the packets with a maximum of 1468 bytes can be pinged successfully. The MTU value may be improper. On the original network where packets are not fragmented, the maximum number of bytes in packets that can be pinged successfully is 1472. After MPLS VPN is deployed, a 4-byte MPLS label is added to packets. Therefore, the maximum number of bytes is 1468.

On PEs at both ends, increase the interface MTU and MPLS MTU values to 1520. The packets with a maximum of 1468 bytes can be pinged successfully. The customer consulted the carrier and learned that the MTU value of the carrier's transmission device is limited.

4. Check whether the TCP MSS value is proper.



Through packet obtaining and analysis, the TCP Previous segment lost alarm is generated, indicating that some TCP packets are lost. The total packet length (MSS + TCP header + IP header) is greater than the MTU value of the link. Generally, a TCP connection does not allow packets to be fragmented (the MSS value is negotiated), and the DF bit is set. However, after the enterprise deploys MPLS VPN, MPLS labels are added to data packets. As a result, the MSS value plus all the header lengths exceed the MTU value of the transmission link, causing packet loss. Then HTTP applications fail to be accessed.

5. Change the TCP MSS value.

Run the tcp adjust-mss 1452 command on the interfaces connecting PEs and CEs to decrease the TCP MSS value. After the TCP MSS value is changed, the PC can access server web pages through HTTP.

Root Cause
TCP MSS specifies the maximum segment size of TCP packets. If the total packet length (MSS + TCP header + IP header) is greater than the MTU value of the link, data packets are fragmented before being forwarded.

In this case, the total TCP packet length (MSS + TCP header + IP header + MPLS label) is greater than the MTU value of the link. Therefore, data packets are fragmented before being forwarded. Some high-layer applications (such as HTTP application-layer protocol) set the DF flag of IP packets to be valid to prevent TCP packets from being fragmented. If the DF flag is set to be valid and the MTU value of the router interface is less than the MSS value, the router discards packets because TCP packets cannot be fragmented forcibly. Therefore, the PC cannot access server web pages normally.
Solution
Considering the TCP header and IP header in the MPLS VPN scenario, you can use the following solutions:

 Run the tcp adjust-mss 1452 command on the interfaces connecting PEs and CEs to decrease the TCP MSS value. Then the total TCP packet length (MSS + TCP header + IP header + MPLS label) does not exceed the MTU value of the link and packet loss does not occur.

 Contact the carrier to increase the MTU value of the transmission link.

 Change the MTU value of the PC. The MSS value obtained through TCP negotiation is 40 bytes (20-byte IP header and 20-byte TCP header) less than the MTU value. Therefore, if the MTU value is decreased, the MSS value is also decreased (the smaller MSS of MSSs on both ends is used).

The first solution is used here.
Suggestions
During MPLS VPN deployment, if the PC can successfully ping the IP address of the server but cannot access server web pages through HTTP, check MTU and MSS values.

END