pMTU discovery

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi,

we're currently testing OpenConnect 3.20 against our new shiny ASA Beta 
which finally does IPv6 transport. However, when we do use that, we have 
MTU problems on the link. The official AnyConnect client works fine.

In the server side debug we see this for AnyConnect over IPv6:

...input: 'X-CSTP-Base-MTU: 1500'
Processing CSTP header line: 'X-CSTP-Base-MTU: 1500'
webvpn_cstp_parse_request_field()
[...]
webvpn_cstp_parse_request_field()
...input: 'X-CSTP-MTU: 1379'
Processing CSTP header line: 'X-CSTP-MTU: 1379'
webvpn_cstp_parse_request_field()
[...]
Iphdr=40 base-mtu=1500 def-mtu=1500 conf-mtu=1406
tcp-mss = 1380
path-mtu = 1380(mss)
mtu = 1380(path-mtu) - 12(opts) - 5(ssl) - 8(cstp) = 1355
tls-mtu = 1355(mtu) - 20(mac) = 1335
DTLS Block size = 16
mtu = 1500(base-mtu) - 40(ip) - 8(udp) - 13(dtlshdr) - 16(dtlsiv) = 1423
mod-mtu = 1423(mtu) & 0xfff0(complement) = 1408
dtls-mtu = 1408(mod-mtu) - 1(cdtp) - 20(mac) - 1(pad) = 1386
computed tls-mtu=1335 dtls-mtu=1386 conf-mtu=1406
DTLS enabled for intf=4 (Public)
tls-mtu=1335 dtls-mtu=1386
[...]
Sending X-CSTP-MTU: 1335
Sending X-DTLS-MTU: 1386

And for AnyConnect over IPv4:

...input: 'X-CSTP-MTU: 1399'
Processing CSTP header line: 'X-CSTP-MTU: 1399'
webvpn_cstp_parse_request_field()
...input: 'X-CSTP-Base-MTU: 1500'
Processing CSTP header line: 'X-CSTP-Base-MTU: 1500'
webvpn_cstp_parse_request_field()

[...]
Iphdr=20 base-mtu=1500 def-mtu=1500 conf-mtu=1406
tcp-mss = 1380
path-mtu = 1380(mss)
mtu = 1380(path-mtu) - 12(opts) - 5(ssl) - 8(cstp) = 1355
tls-mtu = 1355(mtu) - 20(mac) = 1335
DTLS Block size = 16
mtu = 1500(base-mtu) - 20(ip) - 8(udp) - 13(dtlshdr) - 16(dtlsiv) = 1443
mod-mtu = 1443(mtu) & 0xfff0(complement) = 1440
dtls-mtu = 1440(mod-mtu) - 1(cdtp) - 20(mac) - 1(pad) = 1418
computed tls-mtu=1335 dtls-mtu=1418 conf-mtu=1406
DTLS enabled for intf=4 (Public)
tls-mtu=1335 dtls-mtu=1418
[...]
Sending X-CSTP-MTU: 1335
Sending X-DTLS-MTU: 1418



But OpenConnect (regardless of IPv4 or IPv6)

...input: 'X-CSTP-MTU: 1406'
Processing CSTP header line: 'X-CSTP-MTU: 1406'
webvpn_cstp_parse_request_field()
[...]
Computing the legacy svc_mtu
Default svc_mtu=1406
tls-mtu=1406 dtls-mtu=0
Legacy mode so default dtls mtu to tls mtu
[...]
Sending X-CSTP-MTU: 1406



a) I'm assuming the ASA is calculating this from the Base-MTU, which is 
a field openconnect is not sending. We haven't tried this on 
MTU-challenged paths yet, is AnyConnect just guessing or actively 
measuring this?

b) Does anyone have more details? Might sending Base-MTU additionally be 
enough?

Thanks,
Bernhard
[Index of Archives]     [Linux Samsung SoC]     [Linux Rockchip SoC]     [Linux Actions SoC]     [Linux for Synopsys ARC Processors]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux