Home > Networking > Difference between MTU, tcp-adjust-mss and PMTUD

Difference between MTU, tcp-adjust-mss and PMTUD

By /

As a Cisco network engineer, you’re no stranger to chasing down application issues—SSH stalling, HTTP timing out, or file transfers failing over MetroEthernet or IPsec VPNs, even when pings work fine. These headaches often trace back to packet sizing, and three technologies are your toolkit: MTU, IP TCP Adjust-MSS, and PMTUD (Path MTU Discovery). This training breaks down what they do, how to configure them on Cisco gear, and how to troubleshoot real-world problems. Let’s dive into these essentials for keeping traffic flowing.

1. MTU: The Packet Size Foundation

What It Is: Maximum Transmission Unit—the largest packet (headers + payload) an interface can send or receive. On Ethernet, the default MTU is 1500 bytes, including IP and Layer 2 headers.

How It Works: If a packet exceeds the MTU, it’s fragmented (if the “Don’t Fragment” bit is unset) or dropped (if DF is set). Fragmentation slows traffic—reassembly takes CPU cycles, and lost fragments kill sessions. MetroEthernet (VLAN tags) or IPsec (encryption overhead) often lower the effective MTU, causing mismatches.

Cisco Syntax:

interface GigabitEthernet0/0
 ip mtu 1472
  • Sets IP MTU to 1472 bytes (e.g., for MetroEthernet with 4-byte VLAN + 18-byte Ethernet overhead).
  • Applies to all IP traffic (TCP, UDP, ICMP) on the interface.

Show Command:

show ip interface GigabitEthernet0/0

Output:

GigabitEthernet0/0 is up, line protocol is up
  Internet address is 192.168.1.1/24
  MTU 1472 bytes, BW 1000000 Kbit/sec, DLY 10 usec

Troubleshooting Use:

  • Scenario: MetroEthernet apps lag. show ip interface Gi0/0 shows MTU 1500, but provider caps at 1472 (1500 – 22).
  • Fix: ip mtu 1472 prevents fragmentation, aligning with the provider’s limit.

2. IP TCP Adjust-MSS: TCP Payload Control

What It Is: IP TCP Adjust-MSS modifies the Maximum Segment Size (MSS)—the TCP payload size, excluding IP (20 bytes) and TCP (20 bytes) headers. Default MSS is 1460 bytes (1500 – 40). This command adjusts MSS in TCP SYN packets during the handshake to prevent fragmentation.

How It Works: Unlike PMTUD (which uses ICMP reactively), ip tcp adjust-mss proactively rewrites the MSS value in the TCP header at the router. It’s TCP-only and avoids fragmentation by ensuring packets fit the path’s MTU, including tunnel overhead (e.g., GRE’s 24 bytes, IPsec’s ~72 bytes).

Cisco Syntax:

interface Tunnel0
 ip tcp adjust-mss 1436
  • Sets MSS to 1436 bytes (1460 – 24 for GRE), so total packet (1436 + 40 = 1476) fits a 1500-byte MTU.
  • For IPsec (~72 bytes overhead), use 1388 (1460 – 72).

Setting It: Calculate MSS as MTU minus headers and overhead. Lower it further (e.g., 1360) if TCP options (like timestamps) add bytes. Apply on the WAN interface handling tunnel traffic, not LAN-to-LAN, to target specific flows.

Show Command:

show ip interface Tunnel0

Output:

Tunnel0 is up, line protocol is up
  Internet address is 10.0.0.1/30
  MTU 1476 bytes, BW 100 Kbit/sec, DLY 50000 usec
  TCP MSS adjust is 1436 bytes

Troubleshooting Use:

  • Scenario: TCP apps fail over IPsec VPN. show ip interface Tunnel0 shows no MSS adjust, packets hit 1500 + 72 = 1572, exceeding MTU.
  • Fix: ip tcp adjust-mss 1388 keeps packets at 1428 (1388 + 40), fitting 1500 post-encryption.

3. PMTUD: Path MTU Discovery

What It Is: Path MTU Discovery—a protocol where endpoints discover the smallest MTU along a path using ICMP “Fragmentation Needed” (Type 3, Code 4) messages. It’s reactive, adjusting packet sizes after drops occur.

How It Works: The sender starts with its interface MTU (e.g., 1500), sets the DF bit, and sends. If a router can’t forward due to a lower MTU (e.g., 1472), it drops the packet and sends an ICMP message with the next-hop MTU. The sender retries with that size. Older PMTUD doesn’t report the exact MTU, forcing trial-and-error, slowing recovery.

Cisco Syntax: Enabled by default on Cisco devices for IPv4 (assuming IP connectivity allows ICMP). No explicit config needed, but ensure ICMP isn’t blocked:

interface GigabitEthernet0/1
 no ip unreachables
  • Avoid disabling ICMP unreachables on WAN interfaces, or PMTUD fails.

Show Command:
No direct PMTUD show command, but check drops or ICMP activity:

show ip traffic

Output:

IP statistics:
  Rcvd:  10000 total, 0 local destination
  Sent:  9500 total, 0 errors
  Frags: 50 fragmented, 10 timeouts
ICMP statistics:
  Rcvd: 20 unreachables
  Sent: 15 unreachables
  • Look for “unreachables” sent (Fragmentation Needed messages).

Troubleshooting Use:

  • Scenario: TCP apps timeout over MetroEthernet with mixed MTUs. show ip traffic shows unreachables sent, but no client adjustment (firewall blocks ICMP).
  • Fix: Ensure ICMP flows end-to-end, or use ip tcp adjust-mss as a proactive backup.

Key Differences

TechnologyMTUIP TCP Adjust-MSSPMTUD
ScopeAll IP (interface)TCP handshake (interface)All IP (path-wide)
LayerL3L4L3
ActionFragments/dropsAdjusts MSS in SYNSignals MTU via ICMP
Proactive/ReactiveReactiveProactiveReactive
Showshow ip interfaceshow ip interfaceshow ip traffic

Troubleshooting Scenarios

  1. MetroEthernet Slowdown
    • Symptom: HTTP lags, pings fine.
    • Check: show ip interface Gi0/0 shows MTU 1500, provider’s 1472.
    • Fix: ip mtu 1472 aligns interface; ip tcp adjust-mss 1432 optimizes TCP if PMTUD’s slow.
  2. IPsec TCP Failure
    • Symptom: SSH drops over VPN.
    • Check: show ip interface Tunnel0 shows no MSS adjust, packets hit 1572 (1500 + 72).
    • Fix: ip tcp adjust-mss 1388 keeps TCP at 1428; PMTUD as fallback if ICMP flows.
  3. PMTUD Black Hole
    • Symptom: TCP apps timeout, ICMP blocked.
    • Check: show ip traffic shows unreachables sent but no client response.
    • Fix: Unblock ICMP (no ip unreachables), or set ip tcp adjust-mss 1360 proactively.

Best Practices

  • MTU: Match interface MTU to the lowest link MTU (e.g., 1472 for MetroEthernet) to minimize fragmentation.
  • IP TCP Adjust-MSS: Use on tunnel interfaces (GRE, IPsec) with calculated MSS (MTU – overhead); pair with PMTUD for dynamic paths.
  • PMTUD: Ensure ICMP unreachables reach endpoints—check firewalls and ACLs—or rely on MSS adjust as a safety net.

Wrap-Up

MTU sets the stage, ip tcp adjust-mss tunes TCP proactively, and PMTUD adapts reactively. For MetroEthernet and IPsec, use show ip interface and show ip traffic to diagnose, then tweak with these tools. Add your own photos to spice it up—I’ve left that to you. Got a Cisco MTU mess? Share your show output—I’ll help sort it out!

Related posts:

  1. Learning cisco ospf start from zero
  2. How Cisco NDR to discover network activity?
  3. Define abnormal network traffic on cisco NDR – Secure Network Analytics (Previous name steathwatch)
  4. Cisco Router QoS with Policy Map: Optimizing WAN Links for Better Performance

Powered by YARPP.

Leave a Comment