Meraki

Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

MX - Path MTU under 1500 and AutoVPN

RaphaelL
Kind of a big deal
Kind of a big deal
‎Mar 31 2023 7:34 AM
‎Mar 31 2023 7:34 AM

MX - Path MTU under 1500 and AutoVPN

Hi ,

 

Does anyone have a path MTU lower than 1500 on their WAN and using AutoVPN ? ( Eg : GRE tunnels ) 

 

How is the MX handling that ? I know for a fact that if you configure PPPoE on the MX , it lowers the MTU to 1492. I'm just curious about other scenarios.

 

Will the MX notice that the path MTU is lower than 1500 ? Will it magicly lower it's MTU ?

 

I'm aware that you can call support to lower the MTU. I'm wondering what kind of setup / issues you guys have encountered.

 

Cheers , 

Labels:
0 Kudos
16 Replies 16
ww
Kind of a big deal
Kind of a big deal
‎Mar 31 2023 9:05 AM
‎Mar 31 2023 9:05 AM

No the mx itself won't lower mtu of the wan by itself. And you could experience fragmentation and performance issues if you wont call support to lower mtu. If the mtu is lowered then all autovpn tunnels will adjust

0 Kudos
AlexP
Meraki Employee
Meraki Employee
‎Mar 31 2023 9:21 AM
‎Mar 31 2023 9:21 AM

AutoVPN performs PMTUD across the entire topology, and will maintain a consistent one across every hop based on the lowest detected value.

In response to AlexP
RaphaelL
Kind of a big deal
Kind of a big deal
‎Mar 31 2023 10:01 AM
‎Mar 31 2023 10:01 AM

Thanks Alex for the reply. 

 

Let's say I have this setup : 

 

Site A : 1500

Site B : 1400

Hub C : 1500

 

Are you implying that every MX on that AutoVPN domain ( the same org ) will lower his MTU to 1400 ? Please note that this is a hub / spoke design AND meshing is disabled.

 

I coudln't find any documentation about Meraki and PMTUD/MTU 

0 Kudos
In response to RaphaelL
AlexP
Meraki Employee
Meraki Employee
‎Mar 31 2023 10:21 AM
‎Mar 31 2023 10:21 AM

That is correct.

0 Kudos
In response to AlexP
RaphaelL
Kind of a big deal
Kind of a big deal
‎Mar 31 2023 10:31 AM
‎Mar 31 2023 10:31 AM

Okay , sorry I have a hard time grasping that subjet. 

 

50% of my sites are on HUB C , and 50% are on HUB F

Can you confirm the behavior ? 

 

Site A : 1500 -> 1400

Site B : 1400 -> 1400

HUB C : 1500 -> 1400

Site 😧 1500 -> 1500

Site E: 1500 -> 1500

HUB F: 1500 -> 1500

 

or

 ( everyone gets choked to 1400 ) 

Site A : 1500 -> 1400

Site B : 1400 -> 1400

HUB C : 1500 -> 1400

Site 😧 1500 -> 1400

Site E: 1500 -> 1400

HUB F: 1500 -> 1400

 

If you misconfigure a site to a ultra low MTU , it could easily kill performance over your whole org ? That doesn't seem nice at all.

 

Thanks , 

0 Kudos
In response to RaphaelL
AlexP
Meraki Employee
Meraki Employee
‎Mar 31 2023 12:56 PM
‎Mar 31 2023 12:56 PM

Yes, that's still correct.

0 Kudos
In response to AlexP
Cosmin
New here
‎Jan 11 2024 3:42 AM
‎Jan 11 2024 3:42 AM

Hello Alex, thank you for your replies!

 

Related to the MTU change on MX, please provide answers to the following questions
1. Afther the MTU change on MX, is a reboot needed for the new value to apply?

2. Supposing that no reboot is needed after the MTU change and that AutoVPN was already up before the MTU change - does AutoVPN automatically renegociate after the MTU change? or is needed a manual intervention (deactivate&reactivate the AutoVPN) in order to apply the new value to the AutoVPN?

 

0 Kudos
In response to RaphaelL
CptnCrnch
Kind of a big deal
Kind of a big deal
‎Mar 31 2023 1:20 PM
‎Mar 31 2023 1:20 PM

Well, that‘s the point about PMTU 😇 Regarding your example, I bet users wouldn‘t even notice.

0 Kudos
In response to CptnCrnch
RaphaelL
Kind of a big deal
Kind of a big deal
‎Mar 31 2023 2:03 PM
‎Mar 31 2023 2:03 PM

In a perfect world indeed ! But that's not often the case sadly. 

Also , according to my tests, the behavior is way different from what was confirmed by Meraki. I will conclude more tests and comeback with the results.

0 Kudos
In response to RaphaelL
ww
Kind of a big deal
Kind of a big deal
‎Mar 31 2023 2:23 PM
‎Mar 31 2023 2:23 PM

Both can be possible, depending if hub to hub autovpn communication is on or off

KarstenI
Kind of a big deal
Kind of a big deal
‎Mar 31 2023 2:06 PM
‎Mar 31 2023 2:06 PM

But just a warning, for non AutoVPN IPsec tunnels, it is a whole mess as the automatic MSS adjustments for lower MTUs is *not* done for these tunnels.

0 Kudos
RaphaelL
Kind of a big deal
Kind of a big deal
‎Apr 4 2023 7:20 AM
‎Apr 4 2023 7:20 AM

So here are my tests and results.

 

1 Spoke and Hub with a standard MTU of 1500 and 1 Spoke configured with 1400 : 

 

RaphaelL_1-1680617285919.png

 

Spoke A will still continu to use a MTU of 1500. The only effect that Spoke B has on the topology is that the Hub will clamp his own MSS to 1292 so traffic inbound to the hub will be clamped down to 1292 for every single spoke.

 

Traffic from Spoke A going to the internet ( in a split tunnel configuration ) will STILL use a MSS of 1460 ( MTU : 1500 )

 

My second test was to introduce a lower MTU in the path of AutoVPN. The only way that I was capable of doing so was to plug Spoke A into MX B ( which was no longer path of the AutoVPN domain ).  The MSS advertised by both the Spoke A and HUB were still showing 1392 , which is not possible without fragmentation since the path MTU contains a hop with a lower MTU. 

 

RaphaelL_2-1680617747273.png

 

 

Yes ICMP fragmentation needed messages were flowing quite frequently. But I still think that I will have to lower the MTU on every single spoke instead of relying on PMTUD / icmp fragmentation needed packets.

 

TL;DR :  Setting the MTU on the Spoke to a desired MTU seems the easiest way to account for a known Path MTU that is lower than 1500 ( eg : GRE ). However , relying on Meraki's Support to do it in the backend and loosing vision about that setting ( because it's a backend option ) worries me a lot.

whistleblower
Building a reputation
‎May 25 2023 11:05 PM
‎May 25 2023 11:05 PM

Hi all, @RaphaelL thank you for sharing all the informations in the community!
 
I´ve a behaviour regarding PMTU discovery with the MX in conjunction with a Meraki MG - where the MG is sending ICMP Type3/Code 4 back to the MX WAN Interface - because the Host behind the MX is sometimes sending packets larger (DF-Bit set) than the MGs MTU is BUT it looks like the MX isn`t providing that ICMP informations back to the Host, so the client could react on this and probably adjust... The Auto-VPN Tunnel itself is working fine without interruption or connection loss! 
Maybe someone is aware of that behaviour?
0 Kudos
In response to whistleblower
RaphaelL
Kind of a big deal
Kind of a big deal
‎May 26 2023 5:15 AM
‎May 26 2023 5:15 AM

What version of MX / MG are you running ? And what is the MTU that seems to be used ?

0 Kudos
In response to RaphaelL
whistleblower
Building a reputation
‎May 26 2023 5:43 AM
‎May 26 2023 5:43 AM

MX = 17.10.2

MG = 1.11

0 Kudos
In response to whistleblower
Ruud
Comes here often
‎Mar 5 2024 12:50 PM
‎Mar 5 2024 12:50 PM

Note that the MG21 is having issues (some firmware near future should fix this though)..

 

MTU size is default 1280 on a MG21.

Call support for a patch they can run. So the MG21 will start to use MTU1500.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.