Slow Network Access Due to a Large TCP MSS Value

Publication Date:  2015-07-03 Views:  500 Downloads:  0
Issue Description

Fault Symptom:

A user dials up through GE0/0/0, but opening web pages takes a long time after the user goes online.
Handling Process
If the network access is low in a PPPoE scenario, check the MTU and TCP MSS values of the device.

Before locating the fault, familiarize yourself with the following concepts:

1. Maximum Transmission Unit (MTU)

An Ethernet II frame is formed by the DMAC+SMAC+Type+Data+CRC.

Due to the transmission limitation of Ethernet, each Ethernet frame can contain 64 bytes to 1518 bytes. Ethernet frames that are shorter than 64 bytes or longer than 1518 bytes are considered as error frames and are discarded by Ethernet forwarding devices. Note: Data frames shorter than 64 bytes are fragments generated due to an Ethernet conflict, line interference, or abnormal operating of an Ethernet interface. Data frames longer than 1518 bytes are called giant frames generated due to line interference or abnormal operating of an Ethernet interface.

The maximum length of an Ethernet II frame is 1518 bytes. An Ethernet frame contains a 14-byte frame header (6-byte DMAC + 6-byte SMAC + 2-byte Type), a 4-byte CRC checksum, or FCS, and a data field. The composition means that the data field can contain 1500 bytes to the maximum. This maximum value is called MTU.

2. Maximum Segment Size (MSS)

MSS is a concept in TCP. The MSS value determines the maximum value of data segment in a TCP packet, and it is negotiated during a TCP three-way handshake.

TCP sets an MSS based on an interface MTU. If the interface MTU is 1500 bytes, the MSS is 1460 bytes calculated using the formula: MSS = Interface MTU (1500 bytes) - TCP header (20 bytes) - IP header (20 bytes), as shown in the following captured packet information:

Data traffic sent by a PC reaches a remote PC through a link spanning many network devices, such as routers. The network devices have different MTUs. The maximum size of packets that can be transmitted through the link is determined by the minimum MTU among the MTUs of the network devices.

The protocol specific to a layer higher than the network layer does not concern about the MTU of each device on a traffic transmission path. A network-layer protocol checks the size of each packet received from an upper-layer protocol and determines whether to fragment a packet based on the device MTU.

Packet fragmentation reduces transmission performance, for which the transport-layer protocol is concerned. A transport-layer protocol requires that its packet should not be fragmented. Therefore, the Donot Fragment (DF) field is added to the header of an IP packet to prevent the IP packet from being fragmented. If the MTU of a device is smaller than the IP packet length, the device discards the packet and returns an error to the packet sender, causing a communication error.

UDP is connectionless and is not concerned about whether packets are correctly transmitted to desired destination addresses. Therefore, UDP has no requirement on packet fragmentation.

TCP is connection-oriented and is concerned for whether packets are correctly transmitted. Therefore, some TCP packets have the DF field.
A PPPoE packet is longer than a common Ethernet frame by eight bytes (a PPPoE header), which reduces the actual MTU (1500 - 8 = 1492). Therefore, the MSS value in a PPPoE packet cannot be greater than 1452 (1492 -20 - 20 = 1452). The MSS values in L3VPN and IPSec packets are smaller than 1452.
Root Cause
In PPPoE scenarios, if the length of an IP packet carrying the DF field is greater than the MTU configured on a device, the device discards the packet, which compromises services. To resolve the problem, adjust the MSS configured on the device.
Set the TCP MSS on the firewall to be smaller than 1452.

[USG] firewall tcp-mss 1400

When packet lengths are limited, you can adjust the TCP MSS to resolve the problem of slow network access.