No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

AR Router Troubleshooting Guide

This Product Documentation provides guidance for maintaining AR Enterprise Router, covering common information collection and fault diagnostic commands, typical fault troubleshooting guide, and troubleshooting.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Optimizing the MTU Configuration to Solve the Problem that the Network Access Rate of a Branch Is Slow

Optimizing the MTU Configuration to Solve the Problem that the Network Access Rate of a Branch Is Slow

Branches access IPSec VPN using PPPoE dialup to achieve interconnection with the headquarters network. You can optimize the maximum transmission unit (MTU) configuration to solve the problem that the network access rate of a branch is slow.

Networking Diagram

The AR1220W functions as the egress gateway of a branch, and the branch accesses the headquarters data center using IPSec VPN. In the branch, terminals in the production and office areas are added to different VLANs of the switches to implement Layer 2 isolation between the two areas. Terminals in the production area are only allowed to access the headquarters data center rather than the Internet. Terminals in the office area are only allowed to access the Internet rather than the headquarters data center.

Symptom

The downlink rate of the Internet (bandwidth that the user applies for) is 20 Mbit/s, but the actual network access rates in the production and office areas are only approximately 4 Mbit/s.

Cause Analysis

Services between the branch and the headquarters service system are transmitted through IPSec VPN. IPSec encapsulates packets by adding an AH header, ESP header, and ESP tail to original packets in tunnel mode. The length of the new IP header is 20 bytes. The length of the AH header is changeable, and the minimum length is 12 bytes. The length of the ESP header is also changeable, and the minimum length is 10 bytes.

When packets are transmitted, the length of the Ethernet data frame is calculated as follows: Length of the data segment (smaller than or equal to the MSS of TCP packets) + 20 bytes (length of the TCP header) + 20 bytes (length of the IP header) + Length of the AH header (in the range 12 bytes to 44 bytes) + Length of the ESP header (in the range 10 bytes to 24 bytes) + 8 bytes (length of the PPPoE frame) If the length of the Ethernet data frame is larger than the MTU of the WAN interface (1440 bytes), the WAN interface discards TCP packets. Controlling the MSS of TCP packets prevents the length of the Ethernet data frame from being smaller than the MTU, ensuring that TCP packets are properly forwarded.

Procedure

  1. Check configurations of the AR1220W.

    Run the display current-configuration command to check configuration parameters that currently take effect on the device.

    # 
    dialer-rule   //Enter the dialer-rule view.
     dialer-rule 1 ip permit   //Configure a dialup access control list (ACL) and the number of the dialup access control list is 1.
    # 
    acl 3002   //Configure ACL 3002 for NAT.
     rule 5 permit ip source 192.168.0.0 0.0.0.255     
    # 
    interface Dialer0   //Enter the dialer interface view.
     link-protocol ppp   //Configure the link-layer protocol of the dialer interface.
     ip address ppp-negotiate   //Configure PPP IP address negotiation on an interface of the client to allow the interface to obtain an IP address from  the remote device.
     ppp chap user client   //Configure the user name for CHAP authentication so that the PPPoE server can authenticate clients.
     ppp chap password cipher %@%@VGZIW'r|aGrQ"v8`<pEP$7uH%@%@   //Configure the password for CHAP authentication so that the PPPoE server can authenticate clients.
     dialer user server   //Enable the RS-DCC function.
     dialer bundle 1   //Set the number of the dialer bundle to 1.
     dialer-group 1   //Configure a dialup access group that the dialer interface belongs to and the number of the dialup access group is 1.
     nat outbound 3002   //Configure outbound NAT in Easy IP mode.
     tcp adjust-mss 1460   //Configure the MSS of TCP packets.
    # 
    interface GigabitEthernet0/0/1   //Enter the Ethernet interface view.
     pppoe-client dial-bundle-number 1   //Enable the PPPoE client function on the Ethernet interface.
    # 
     ip route-static 0.0.0.0 0 Dialer0   //Configure a static route to the PPPoE server and specify Dialer0 as the outbound interface.

    The configurations are consistent with the networking plan.

  2. Run the display pppoe-client session summary command to check the status and configuration information of the PPPoE session.

    PPPoE Client Session: 
    ID   Bundle  Dialer  Intf             Client-MAC    Server-MAC    State 
    1    1       1       GE0/0/1          00e0fc030201  0819a6cd0680  UP

    Check whether the session status is normal based on the command output. (The session status is normal if the value of the State field is UP.)

  3. Run the display cpu-usage command to check the CPU usage of the device to figure out whether the network access rate decreases because of the device performance bottleneck.

    CPU Usage: 23.3%

  4. Run the display interface command to check detailed information about GE0/0/1.

    Route Port,The Maximum Transmit Unit is 1440     

    The command output indicates that the MTU of GE0/0/1 is 1440, which is smaller than the MSS of TCP packets on Dailer0 (1460). As a result, GE0/0/1 directly discards TCP packets. Change the MSS of TCP packets to 1200 and then the actual network access rate reaches 20 Mbit/s. The problem is solved.

Conclusion and Suggestion

Most branches access the Internet using PPPoE and interconnects with the headquarters network through IPSec VPN. The MTU of the interface on an egress device cannot exceed 1492 and it is recommended that you change the MSS of TCP packets to 1200.

Translation
Download
Updated: 2019-05-10

Document ID: EDOC1000079719

Views: 444251

Downloads: 4295

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next