On Wed, 2011-08-17 at 12:25 -0700, er0ck wrote: > i'm a user, not an admin. i don't have shell access to the afs > servers, don't think i can run tcpdump on that end. ISTR it's distinctly non-trivial to set up your own AFS server that you can test with, right? > however, this is silly, but it looks like reducing the MTU has made > afs MUCH more snappy. > the vpn server was giving me an MTU of 1602. my gig ethernet sans > jumbo frames is set to 1500. 1602 seems pretty big. > i asked another user what his MTU was set to on AT&T client 1362. i > used that and it seems snappy. If you're at home or something, the odds are *very* low that you actually have an MTU of 1602 (+VPN overhead) all the way to the VPN server. If you're *lucky*, each packet is fragmented into two and reassembled at the other end. If you're unlucky, the big packets are just going missing and you're eventually falling back to smaller packets which works, and that's why it's slow. > any advice on theory of how to optimize this? Let's assume you're using DTLS (VPN over UDP between you and the VPN server). The overhead on a VPN packet is: IP header: 20 bytes UDP header: 8 bytes DTLS header: 13 bytes Cisco VPN packet type: 1 byte Total: 42 bytes. So, if you're on a normal Internet link with 1500-byte MTU, your optimum packet size will be 1458 bytes. If you're using PPPoE, your Internet MTU will be 1492 and your optimum packet size will be 1450 bytes. For some reason the default MTU in OpenConnect is set to 1406; I don't quite know why. Perhaps that was calculated based on overhead in TCP mode, or maybe I just pulled a number out of my arse. I *thought* that the server would return only a *smaller* MTU than the one we requested, but if you're getting 1602 then that seems to be incorrect. Can you show the MTU-related output of 'openconnect -v' when you connect to the server? > thanks again for all your help. > ______________________________________________ > Too brief? Here's why: http://emailcharter.org Not too brief at all. Far from it, in fact. You quoted far *more* of the previous message than you should have done... you should only repeat parts of the previous message that are absolutely needed for context. -- dwmw2
