No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

AR Router Troubleshooting Guide

This Product Documentation provides guidance for maintaining AR Enterprise Router, covering common information collection and fault diagnostic commands, typical fault troubleshooting guide, and troubleshooting.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Users Fail to Access Web Pages After MPLS VPN Is Deployed

Users Fail to Access Web Pages After MPLS VPN Is Deployed

Keywords

MPLS VPN, MTU, TCP MSS, web page access failure

Abstract

After an enterprise deploys MPLS VPN, users in the enterprise fail to access web pages due to improper TCP MSS value.

Problem Description

As shown in Figure 1-1, CE_1 and CE_2 connect the enterprise branch, CE_3 and CE_4 connect the enterprise headquarters, CE_1 and CE_3 belong to vpna, and CE_2 and CE_4 belong to vpnb. After the enterprise deploys MPLS VPN, the PC of the enterprise branch can ping the IP address and domain name of the server at the headquarters. However, the PC cannot access web pages through HTTP. The network neighbor and file sharing services on the PC and server are normal.

Figure 25-21 MPLS VPN

Device and version: AR2240 V200R005C20SPC200

Procedure

  1. Check whether the link between the PC and server is normal.

    Ping the IP address and domain name of the server on the PC. For example, if the IP address of the server is 10.1.1.1, run the ping 10.1.1.1 command. If the ping operation succeeds, use the tracert tool to trace the path. If the path is normal, the link between the PC and server is normal.

  2. Check the device configuration, neighbor status, and routing table. The result shows that they are normal.
  3. Check whether the MTU value is set properly.

    Ping the IP address of the server on the PC and set the DF bit to 0 (indicating that packets are not fragmented). After the ping operation is performed several times, the packets with a maximum of 1468 bytes can be pinged successfully. The MTU value may be improper. On the original network where packets are not fragmented, the maximum number of bytes in packets that can be pinged successfully is 1472. After MPLS VPN is deployed, a 4-byte MPLS label is added to packets. Therefore, the maximum number of bytes is 1468.

    On PEs at both ends, increase the interface MTU and MPLS MTU values to 1520. The packets with a maximum of 1468 bytes can be pinged successfully. The customer consulted the carrier and learned that the MTU value of the carrier's transmission device is limited.

  4. Check whether the TCP MSS value is proper.

    Through packet obtaining and analysis, the TCP Previous segment lost alarm is generated, indicating that some TCP packets are lost. The total packet length (MSS + TCP header + IP header) is greater than the MTU value of the link. Generally, a TCP connection does not allow packets to be fragmented (the MSS value is negotiated), and the DF bit is set. However, after the enterprise deploys MPLS VPN, MPLS labels are added to data packets. As a result, the MSS value plus all the header lengths exceed the MTU value of the transmission link, causing packet loss. Then HTTP applications fail to be accessed.

  5. Change the TCP MSS value.

    Run the tcp adjust-mss 1452 command on the interfaces connecting PEs and CEs to decrease the TCP MSS value. After the TCP MSS value is changed, the PC can access server web pages through HTTP.

Root Cause

TCP MSS specifies the maximum segment size of TCP packets. If the total packet length (MSS + TCP header + IP header) is greater than the MTU value of the link, data packets are fragmented before being forwarded.

In this case, the total TCP packet length (MSS + TCP header + IP header + MPLS label) is greater than the MTU value of the link. Therefore, data packets are fragmented before being forwarded. Some high-layer applications (such as HTTP application-layer protocol) set the DF flag of IP packets to be valid to prevent TCP packets from being fragmented. If the DF flag is set to be valid and the MTU value of the router interface is less than the MSS value, the router discards packets because TCP packets cannot be fragmented forcibly. Therefore, the PC cannot access server web pages normally.

Solution

Considering the TCP header and IP header in the MPLS VPN scenario, you can use the following solutions:

  • Run the tcp adjust-mss 1452 command on the interfaces connecting PEs and CEs to decrease the TCP MSS value. Then the total TCP packet length (MSS + TCP header + IP header + MPLS label) does not exceed the MTU value of the link and packet loss does not occur.
  • Contact the carrier to increase the MTU value of the transmission link.
  • Change the MTU value of the PC. The MSS value obtained through TCP negotiation is 40 bytes (20-byte IP header and 20-byte TCP header) less than the MTU value. Therefore, if the MTU value is decreased, the MSS value is also decreased (the smaller MSS of MSSs on both ends is used).

The first solution is used here.

Suggestion

During MPLS VPN deployment, if the PC can successfully ping the IP address of the server but cannot access server web pages through HTTP, check MTU and MSS values.

Translation
Download
Updated: 2019-08-09

Document ID: EDOC1000079719

Views: 491317

Downloads: 4523

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next