No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


TCP mss setting lead to IPSec traffic slow

Publication Date:  2014-06-30 Views:  6182 Downloads:  3

Issue Description

The topology is shown as above, USG2200 in HQ and AR1220 in branches set up IPSec VPN tunnels.If SAP and Lotus Notes traffic forwarded through VPN tunnel, it get slow. But other traffic without VPN tunnel forwarded normally.

Alarm Information


Handling Process

1. After analyzing the captured packets, we found a large number of packets were sent as fragments.
2. After modifying TCP MSS value on USG2000E and AR1220 to make (MSS + TCP header + IP header) < MTU, the SAP and Lotus Notes traffic forwarded via IPSec tunnel became normal.

TCP mss configuration on USG2200:
[USG2200]firewall tcp-mss 1200

TCP mss on AR1220 should be configured on both internal and external interface:
[AR1220-GigabitEthernet0/0/0]tcp adjust-mss 1200
[AR1220-GigabitEthernet0/0/1]tcp adjust-mss 1200

Root Cause

IPSec tunnel  encapsulating IP packets leads to IP packet length becomes longer. If (MSS + TCP header + IP header)> link MTU, the packet will be sent as fragments, and reassembled when received. The process of fragment and reassemble need to consume CPU resources. Meanwhile fragmented packet encryption, decryption process also consumes more CPU resources. When the proportion of fragmented packets too large, the lack of CPU resources may cause packets loss.


When TCP packets size longer than MTU, you can adjust the tcp mss to avoid fragment.