Customer configured the IPSEC vpn in USG2260 and its peer device is CIsco Router ,after the tunnel is up , the only problem is that the http service from this site to cisco site is very slow , sometime cannot even open any pages ;but voice service is normal,
also ping without any packets loss and telent or ssh is working well too.
For the TCP ,it is connection-oriented protocol,it is very concerned about the packet arrival sequence and whether transmission error has occurred. So some TCP applications do not required for fragmentation , such as HTTP/HTTPS .
if the IPSEC tunnel is configured ,the packets header will increase but in this case it should not exceed the limit the MTU, so we should decrease the TCP MSS value to make sure the TCP packets will not be fragmented .
After the packets on the network are fragmented, problems may occur on certain devices during the processing at the application layer. To avoid the previous problems, you can run the firewall tcp-mss command on the device. When forwarding a packet, the device compares the TCP MSS value specified locally with that in the packet, and adopts the smaller value for packet forwarding. Therefore, no fragments exist on the network, thus ensuring smooth communications on the network.
In normal cases, the MSS is set to the interface MTU deducted by 40 bytes (20-byte IP header and 20-byte TCP header). If the uplink adopts PPPoE dialup, additional 8 bytes (PPPoE header) should be deducted; that is, the interface MTU deducted by 48 bytes is the value of the MSS.
If the interface MTU changes from 1500 bytes to 1450 bytes, the new MSS should be 1410 bytes.
In this case (the interface MTU is 1500), if the uplink adopts PPPoE dialup, the MSS should be set to 1452 bytes (1500 deducted by 20 and 20 and 8).
we can configure command :
[USG] firewall tcp-mss 1200
in both devices to limit the tcp mss value .
After this the web page is normal .