mssyouuergnuup翻译gnu make中文手册 pdf
点击联系发帖人
时间:2015-08-03 20:18
[SOLVED] MS-CHAP[v2] auth, Microsoft VPN client setup with pptpclient / Networking, Server, and Protection / Arch Linux Forums
You are not logged in.
Topic closed
Registered:
[SOLVED] MS-CHAP[v2] auth, Microsoft VPN client setup with pptpclient
Hi,Have just started with Archlinux and trying to set up a VPN tunnel using pptp.I have been following the guide at:-------------------------------------------------------------------------------------I want to connect to a service from Info from them when connection to Windows XP are:Enter company name &Ipredator&. Click Next.Enter &vpn.ipredator.se& as &Host name or IP address&.I have been given a &USERNAME& and &PASSWORD& from them.-------------------------------------------------------------------------------------I got the VPN tunnel up and running in Ubuntu with the settings.Only enabled MSCHAPv2use MPPE 128 bitand allow data compression, BSD, Deflate and TCP header.-------------------------------------------------------------------------------------My configuration files:options.pptp##################################################
# $Id: options.pptp,v 1.3
23:11:05 quozl Exp $
# Sample PPTP PPP options file /etc/ppp/options.pptp
# Options used by PPP when a connection is made by a PPTP client.
# This file can be referred to by an /etc/ppp/peers file for the tunnel.
# Changes are effective on the next connection.
See &man pppd&.
# You are expected to change this file to suit your system.
# packaged, it requires PPP 2.4.2 or later from [url]http://ppp.samba.org[/url]/
# and the kernel MPPE module available from the CVS repository also on
# [url]http://ppp.samba.org[/url]/, which is packaged for DKMS as kernel_ppp_mppe.
###################################################
# Lock the port
# Authentication
# We don't need the tunnel server to authenticate itself
# We won't do PAP, EAP, CHAP, or MSCHAP, but we will accept MSCHAP-V2
# (you may need to remove these refusals if the server is not using MPPE)
refuse-pap
refuse-eap
refuse-chap
refuse-mschap
# Compression
# Turn off compression protocols we know won't be used
# Encryption
# (There have been multiple versions of PPP with encryption support,
# choose with of the following sections you will use.
Note that MPPE
# requires the use of MSCHAP-V2 during authentication)
# [url]http://ppp.samba.org[/url]/ the PPP project version of PPP by Paul Mackarras
# ppp-2.4.2 or later with MPPE only, kernel module ppp_mppe.o
# Require MPPE 128-bit encryption
# require-mppe-128
# [url]/h/hs001/[/url] fork from PPP project by Jan Dubiec
# ppp-2.4.2 or later with MPPE and MPPC, kernel module ppp_mppe_mppc.o
# Require MPPE 128-bit encryption
# mppe required,stateless
# }}}chap-secrets# Secrets for authentication using CHAP
IP addresses
&USERNAME& pptpd &PASSWORD& *I named my tunnel &ipredator&/etc/ppp/peers/ipredatorpty &pptp vpn.ipredator.se --nolaunchpppd&
name &USERNAME&
remotename Ipredator
require-mppe-128
file /etc/ppp/options.pptp
ipparam ipredatorWhen I try to connect I get following:[root@archlinux ppp]# pon $TUNNEL ipredator dump logfd 2 nodetach
pppd options in effect:
# (from command line)
# (from command line)
# (from command line)
# (from /etc/ppp/options.pptp)
refuse-pap
# (from /etc/ppp/options.pptp)
refuse-chap
# (from /etc/ppp/options.pptp)
refuse-mschap
# (from /etc/ppp/options.pptp)
refuse-eap
# (from /etc/ppp/options.pptp)
name &USERNAME&
# (from /etc/ppp/peers/ipredator)
remotename Ipredator
# (from /etc/ppp/peers/ipredator)
# (from /etc/ppp/options.pptp)
pty pptp vpn.ipredator.se --nolaunchpppd
# (from /etc/ppp/peers/ipredator)
# (from /etc/ppp/options)
# (from /etc/ppp/options)
asyncmap 0
# (from /etc/ppp/options)
lcp-echo-failure 4
# (from /etc/ppp/options)
lcp-echo-interval 30
# (from /etc/ppp/options)
hide-password
# (from /etc/ppp/options)
ipparam ipredator
# (from /etc/ppp/peers/ipredator)
# (from /etc/ppp/options)
# (from /etc/ppp/options.pptp)
# (from /etc/ppp/options.pptp)
require-mppe-128
# (from /etc/ppp/peers/ipredator)
# (from /etc/ppp/options)
Using interface ppp0
Connect: ppp0 &--& /dev/pts/1
MPPE required, but MS-CHAP[v2] auth not performed.
Connection terminated.
[root@archlinux ppp]#I have not managed to understand way MS-CHAP[v2] auth is not performed.Any ideas on what I have missed during my configuration would be most appreciated! use code tags instead of quote since they provide scrollers and keep the thread from becoming a mile long -- Inxsible Thank you!Regards,/Christer
Last edited by agkbill ( 15:23:15)
Forum Fellow
From: Chicago
Registered:
Posts: 9,079
Re: [SOLVED] MS-CHAP[v2] auth, Microsoft VPN client setup with pptpclient
please use BBCode code tags when presenting code or output instead of adding too much whitespace. 
There's no such thing as a stupid question, but there sure are a lot of inquisitive idiots !
Registered:
Re: [SOLVED] MS-CHAP[v2] auth, Microsoft VPN client setup with pptpclient
Thank you for the link to the BBCode code tags, not used to them./Christer
falconindy
From: New York, USA
Registered:
Posts: 4,097
Re: [SOLVED] MS-CHAP[v2] auth, Microsoft VPN client setup with pptpclient
Sounds like the VPN I connect to at work... here's my config (options.pptp is untouched)/etc/ppp/peers/foovpnpty &pptp 1.2.3.4 --nolaunchpppd --loglevel 0&
refuse-eap
refuse-pap
require-mppe
usepeerdns
remotename foovpn
ipparm foovpn/etc/ppp/chap-secrets
&password&
*And of course make sure you're actually using the ppp_mppe module.
Forum Fellow
From: Chicago
Registered:
Posts: 9,079
Re: [SOLVED] MS-CHAP[v2] auth, Microsoft VPN client setup with pptpclient
agkbill, edited your posts to use code tags instead of quote tags since they provide scrollers and keep the thread from becoming a mile long
There's no such thing as a stupid question, but there sure are a lot of inquisitive idiots !
Registered:
Re: [SOLVED] MS-CHAP[v2] auth, Microsoft VPN client setup with pptpclient
Ok, I understand.Thank you./Christer
Registered:
Re: [SOLVED] MS-CHAP[v2] auth, Microsoft VPN client setup with pptpclient
I just found this post: Applied it with my data. # Secrets for authentication using CHAP
IP addresses
&USERNAME& iPred &&PASSWORD&&
vpn.ipredator.septy &pptp vpn.ipredator.se --nolaunchpppd --loglevel 0&
name &USERNAME&
remotename ipred
ipparam iPred
require-mppe-128
refuse-eap
file /etc/ppp/options.pptpBut no luck. Same problem.[root@archlinux ppp]# pon $TUNNEL iPred debug logfd 2 nodetach
using channel 18
Using interface ppp0
Connect: ppp0 &--& /dev/pts/1
sent [LCP ConfReq id=0x1 &asyncmap 0x0& &magic 0x56225fe7& &pcomp& &accomp&]
rcvd [LCP ConfReq id=0x1 &asyncmap 0x0& &auth chap MS-v2& &magic 0x9d43ef0a& &pcomp& &accomp&]
No auth is possible
sent [LCP ConfRej id=0x1 &auth chap MS-v2&]
rcvd [LCP ConfAck id=0x1 &asyncmap 0x0& &magic 0x56225fe7& &pcomp& &accomp&]
rcvd [LCP ConfReq id=0x2 &asyncmap 0x0& &magic 0x9d43ef0a& &pcomp& &accomp&]
sent [LCP ConfAck id=0x2 &asyncmap 0x0& &magic 0x9d43ef0a& &pcomp& &accomp&]
sent [LCP EchoReq id=0x0 magic=0x56225fe7]
MPPE required, but MS-CHAP[v2] auth not performed.
sent [LCP TermReq id=0x2 &MPPE required but not available&]
rcvd [LCP EchoReq id=0x0 magic=0x9d43ef0a]
rcvd [LCP TermReq id=0x3 &peer refused to authenticate&]
sent [LCP TermAck id=0x3]
rcvd [LCP TermAck id=0x2]
Connection terminated.
Script pptp vpn.ipredator.se --nolaunchpppd --loglevel 0 finished (pid 1673), status = 0x0
[root@archlinux ppp]#
falconindy
From: New York, USA
Registered:
Posts: 4,097
Re: [SOLVED] MS-CHAP[v2] auth, Microsoft VPN client setup with pptpclient
You're requiring mppe-128 which isn't what the server wants. the 'require mppe' directive is universal and negotiation will be done to agree on a bit rate.
Registered:
Re: [SOLVED] MS-CHAP[v2] auth, Microsoft VPN client setup with pptpclient
Thank you falconindy,I will do some testing tomorow./Christer
Registered:
Re: [SOLVED] MS-CHAP[v2] auth, Microsoft VPN client setup with pptpclient
To use &require-mppe& did not make any difference.I have tried to figure out from working KVpnc settings how it should be. but no luck.From KVpnc I could see:- VPN gateway: vpn.ipredator.se- Fix path mtu discovery problem: enabled- Use NAT: enabled- Require MPPE: enabled- Refuse 40 bit encryption: enabled- Do not use BSD compression: enabled- Do not use deflate method: enabled- Authorization method: MSCHAP
Registered:
Re: [SOLVED] MS-CHAP[v2] auth, Microsoft VPN client setup with pptpclient
I tried on another archlinux instalation, one that I am running in &virualbox&With identical settings and in &options.pptp& I have # marked refuse-mschap, because in KVpnc I could se that authorization method was MSCHAP.With this settings I do not get &MPPE required, but MS-CHAP[v2] auth not performed.&.But a timeout, for some reason.
From: G?teborg, Sweden
Registered:
Posts: 206
Re: [SOLVED] MS-CHAP[v2] auth, Microsoft VPN client setup with pptpclient
Try and remove the &refuse-xxx& line(s), while keeping the &require-mppe-128& line.In your last posted conf (post #7) you include the options.pptp file with the line &file /etc/ppp/options.pptp&; this seems a bit unnecessary since you already have the necessary settings in the peers file. If you still want to include options.pptp while following my advice (remove the refuse-xxx lines), you'll have to do it in both the peers file and the options.pptp file.
Registered:
Re: [SOLVED] MS-CHAP[v2] auth, Microsoft VPN client setup with pptpclient
Thank you Bebo,I changed my peers file into:pty &pptp vpn.ipredator.se --nolaunchpppd&
name &USERNAME&
remotename Ipredator
require-mppe-128
#file /etc/ppp/options.pptp
ipparam iPredBut not working I am afraid.[root@archlinux ppp]# pon ipredator debug logfd 2 nodetach
using channel 9
Using interface ppp0
Connect: ppp0 &--& /dev/pts/1
sent [LCP ConfReq id=0x1 &asyncmap 0x0& &magic 0x2f33d954& &pcomp& &accomp&]
rcvd [LCP ConfReq id=0x1 &asyncmap 0x0& &auth chap MS-v2& &magic 0x40e03e9b& &pcomp& &accomp&]
No auth is possible
sent [LCP ConfRej id=0x1 &auth chap MS-v2&]
rcvd [LCP ConfAck id=0x1 &asyncmap 0x0& &magic 0x2f33d954& &pcomp& &accomp&]
rcvd [LCP ConfReq id=0x2 &asyncmap 0x0& &magic 0x40e03e9b& &pcomp& &accomp&]
sent [LCP ConfAck id=0x2 &asyncmap 0x0& &magic 0x40e03e9b& &pcomp& &accomp&]
sent [LCP EchoReq id=0x0 magic=0x2f33d954]
MPPE required, but MS-CHAP[v2] auth not performed.
sent [LCP TermReq id=0x2 &MPPE required but not available&]
rcvd [LCP EchoReq id=0x0 magic=0x40e03e9b]
rcvd [LCP TermReq id=0x3 &peer refused to authenticate&]
sent [LCP TermAck id=0x3]
rcvd [LCP TermAck id=0x2]
Connection terminated.
Script pptp vpn.ipredator.se --nolaunchpppd finished (pid 1614), status = 0x0
[root@archlinux ppp]# I was looking at a working log, described at It have the lines:# pon tunnel
Using interface ppp1
Connect: ppp1 &--& /dev/pts/1
Looking for secret in /etc/ppp/chap-secrets for client domain\username server PPTP
Got client domain\username
Got server PPTP
Got secret PPTP
Got client passwordI can not se the &Looking for secret in /etc/ppp/chap-secrets for client domain\username server PPTPGot client domain\username&Does that mean that the line is never read in y case? If so any idea on what is wrong?All input wellcome.
Registered:
Re: [SOLVED] MS-CHAP[v2] auth, Microsoft VPN client setup with pptpclient
The problem was that &PASSWORD& was never found.What is written after &remotename& in peers file in the guide &PPTP& is used to find the password in chap-secreds.But in the guide chap-secrets look like &&USERNAME& pptpd &PASSWORD& *&.Consecuently &PASSWORD& will never be found. It should have been  &&USERNAME& PPTP &PASSWORD& *& then it would have worked OK.The solution was to understand how password was found.require-mppe-128 works fine as well.Now it looks like this.# Secrets for authentication using CHAP
IP addresses
&USERNAME& PPTP &PASSWORD& *pty &pptp vpn.ipredator.se --nolaunchpppd&
name &USERNAME&
remotename PPTP
require-mppe-128
#file /etc/ppp/options.pptp
ipparam ipredatorOutput:[root@archlinux ppp]# pon ipredator debug logfd 2 nodetach
using channel 14
Using interface ppp0
Connect: ppp0 &--& /dev/pts/1
sent [LCP ConfReq id=0x1 &asyncmap 0x0& &magic 0x7540313b& &pcomp& &accomp&]
rcvd [LCP ConfReq id=0x1 &asyncmap 0x0& &auth chap MS-v2& &magic 0xc615076a& &pcomp& &accomp&]
sent [LCP ConfAck id=0x1 &asyncmap 0x0& &auth chap MS-v2& &magic 0xc615076a& &pcomp& &accomp&]
rcvd [LCP ConfAck id=0x1 &asyncmap 0x0& &magic 0x7540313b& &pcomp& &accomp&]
sent [LCP EchoReq id=0x0 magic=0x7540313b]
rcvd [LCP EchoReq id=0x0 magic=0xc615076a]
sent [LCP EchoRep id=0x0 magic=0x7540313b]
rcvd [CHAP Challenge id=0x46 &be769cddc0fd20bc73c03&, name = &pptpd&]
sent [CHAP Response id=0x46 &6ce74a85ab09e4ae223bc85f0dbb8dc66eb62fe72de1e01a4d00&, name = &&USERNAME&&]
rcvd [LCP EchoRep id=0x0 magic=0xc616076a]
rcvd [CHAP Success id=0x46 &S=F2B8C8EF20&]
CHAP authentication succeeded
sent [CCP ConfReq id=0x1 &mppe +H -M +S -L -D -C&]
rcvd [CCP ConfReq id=0x1 &mppe +H -M +S -L -D -C&]
sent [CCP ConfAck id=0x1 &mppe +H -M +S -L -D -C&]
rcvd [CCP ConfAck id=0x1 &mppe +H -M +S -L -D -C&]
MPPE 128-bit stateless compression enabled
sent [IPCP ConfReq id=0x1 &compress VJ 0f 01& &addr 0.0.0.0&]
rcvd [IPCP ConfReq id=0x1 &compress VJ 0f 01& &addr x.x.x.x&]
sent [IPCP ConfAck id=0x1 &compress VJ 0f 01& &addr x.x.x.x&]
rcvd [IPCP ConfNak id=0x1 &addr 93.182.150.56&]
sent [IPCP ConfReq id=0x2 &compress VJ 0f 01& &addr x.x.x.x&]
rcvd [IPCP ConfAck id=0x2 &compress VJ 0f 01& &addr x.x.x.x&]
Cannot determine ethernet address for proxy ARP
IP address
remote IP address x.x.x.x
Script /etc/ppp/ip-up started (pid 1778)
Script /etc/ppp/ip-up finished (pid 1778), status = 0x0All the best!/Christer
syed.jahanzaib
Registered:
Re: [SOLVED] MS-CHAP[v2] auth, Microsoft VPN client setup with pptpclient
@agkbill / ChristerAlthough this post is quite old, but it really helped me
specially the PPTP portion
Administrator
From: Pasadena, CA
Registered:
Posts: 13,514
Re: [SOLVED] MS-CHAP[v2] auth, Microsoft VPN client setup with pptpclient
Closing old thread
Nothing is too wonderful to be true, if it be consistent with the laws of nature -- Michael FaradayYou assume people are rational and influenced by evidence.  You must not work with the public much. -- Trilby----
Topic closed
Powered by| Wednesday, November 5, 2008 at 2:26 a.m. UTC
The Maximum Transmission Unit (MTU) is the maximum length of data that can be transmitted by a protocol in one instance. For example, the MTU of Ethernet (by default 1500) is the largest number of bytes that can be carried by an Ethernet frame (excluding the header and trailer). MTUs are found at various layers of the OSI model, and can often be tweaked to more efficiently transport large volumes of data.
The default Ethernet MTU is 1500 bytes, not including the header or trailer. Sometimes a slightly higher MTU is preferable to accommodate Q-in-Q tunneling or other encapsulation. The MTU can be raised on Cisco IOS with the
command under global configuration:
Switch(config)# system mtu ?
MTU size in bytes
Set Jumbo MTU value for GigabitEthernet or TenGigabitEthernet
interfaces
The maximum MTU is dependent on the hardware platform, but the IEEE 802.3 standards require a minimum MTU of 1500 bytes. Additionally, a jumbo MTU for 1 Gbps and 10 Gbps interfaces can be allowed up to 9000 bytes. Changing either of these values will require a device power cycle.
Switch(config)# system mtu 1508
Changes to the system MTU will not take effect until the next reload is done
Switch(config)# system mtu jumbo 9000
Changes to the system jumbo MTU will not take effect until the next reload is done
Switch# show system mtu
System MTU size is 1500 bytes
On next reload, System MTU will be 1508 bytes
System Jumbo MTU size is 1500 bytes
On next reload, System Jumbo MTU will be 9000 bytes
As with Ethernet frames, the MTU can be adjusted for IP packets. However, the IP MTU is configured per interface rather than system-wide, with the
Router(config)# interface f0/0
Router(config-if)# ip mtu ?
MTU (bytes)
Notice that the maximum IP MTU is capped at the Ethernet MTU, because it is being applied to an Ethernet interface. The configured IP MTU determines how large a packet to be transmitted out the interface may be. IP packets larger than the MTU are discarded, and may prompt the router to send a Fragmentation Needed ICMP packet back to the source to facilitate .
It's also worth noting that while the Ethernet and IP MTUs effectively refer to the same section of an IP/Ethernet packet, they can be configured independently. For example, assume we want to shrink the IP MTU of an interface to 1200 bytes:
Router(config)# interface f0/0
Router(config-if)# ip mtu 1200
The IP MTU has been modified from its default of 1500:
Router# show ip interface f0/0
FastEthernet0/0 is up, line protocol is up
Internet address is 10.0.0.1/24
Broadcast address is 255.255.255.255
Address determined by setup command
MTU is 1200 bytes
However, the interface's Ethernet MTU remains unchanged:
Router# show interface f0/0
FastEthernet0/0 is up, line protocol is up
Hardware is Gt96k FE, address is c200. (bia c200.)
Internet address is 10.0.0.1/24
MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec,
reliability 255/255, txload 1/255, rxload 1/255
There are two contexts in which the TCP Maximum Segment Size (MSS) can be configured: transient traffic and terminating traffic.
Transient Traffic
When a TCP client initiates a connection to a server, it includes its MSS as an option in the first (SYN) packet. On an Ethernet interface, this value is typically
byte Ethernet MTU - 20 byte IP header - 20 byte TCP header).
However links beyond the host often have a lower effective MSS and full-size packets from the client may be dropped. To inspect and alter the MSS option included in TCP SYN packets passing through the router, use the
command on the interface:
Router(config)# interface f0/0
Router(config-if)# ip tcp adjust-mss ?
Maximum segment size in bytes
Terminating Traffic
Terminating traffic refers to TCP packets which originate from or are destined for the local router (for example, SSH or BGP). In this context, the router itself is considered the TCP client and/or server. The local MSS can be configured with the
command under global configuration:
Router(config)# ip tcp mss ?
&68-10000&
About the Author
Jeremy Stretch is a network engineer living in the Raleigh-Durham, North Carolina area. He is known for his blog and cheat sheets here at Packet Life. You can reach him by
or follow him on .
Rajesh (guest)
November 5, 2008 at 3:46 a.m. UTC
I had some ongoing issue with a certain application and its very much related to MTU/MSS sizes. After some research as a bandaid solution i applied ip tcp mss-adj 1300 on the lan interface which fixed the issue.
I really can't differenciate much between MSS and MTU and how it's affectiong sites which sits behind some old firewall.
Vaidotas (guest)
November 5, 2008 at 7:48 a.m. UTC
Is "ip tcp adjust-mss" applied to incoming packet only?
Vaidotas (guest)
November 5, 2008 at 7:51 a.m. UTC
MSS is IP packet size without IP header and next header (for exm. TCP). So max IP packet is 1500 (MTU), segment size is 1500B - 20B(ip) -20B(TCP) = 1460.
November 5, 2008 at 9:36 a.m. UTC
MSS is the maximum amount of data inside a tcp segment not including the headers.
This MSS is established during the tcp connection establishment.
Since TCP is a bidirectional protocol, the lowest of the two values (on each host) is agreed upon.
This is different then IP MTU that is unidirectional (each direction can have a different MTU).
IP MTU also includes the headers.
The negotiation of the MTU size is often broke by firewalls when misconfigured to block all icmp.
Concerning the IP TCP ADJUST-MSS command, it works in both directions to spoof a host down to that level.
If a router receives or sends a segment through an interface with that command, the mss will be adjusted down to that point.
If the MSS in the segment is already smaller, it is left untouched.
This is most commonly used on PPPoE.
Danail Petrov (guest)
November 5, 2008 at 10:36 a.m. UTC
Nice work, Stretch! Congratulations once again for the great explanation. Furthermore you can mention something about the windows size and his reflection to TCP session. Moreover, It would be great to explain the latency influence as well. I mean, how the latency is reflected to the TCP session in between two TCP communication stations (lets say that we have two TCP speakers and 1Mbps T1 line in between. What would be in theory the maximum TCP throughput per session) and so on.
I'm just giving a suggestion of course :)
Tom (guest)
November 6, 2008 at 10:20 p.m. UTC
It's time for my first comment on this clean and clever blog.
I'll just mention in addition to PPPoE that adjust-mss is also used when using GRE tunnels or IPSec. Some protocols set the DontFragment bit (ie. SMB/CIFS) and don't reall)
Keep producing interesting posts a)
Robert (guest)
November 12, 2008 at 3:23 a.m. UTC
A question, would you ever change the IP MTU to a lower value then the interface MTU in a real world scenario?
Thank you for a very good post.
Josh (guest)
November 14, 2008 at 5:56 p.m. UTC
You may have to create a lower MTU if the packet has to be encapsulated which would in effect add to the total size of the packet.
Since the MTU only accounts for the size of the IP/TCP headers and data the encapsulated headers are missed and possibly causing the packet size to exceed the MTU
Lowering the MTU size could offset the additional bytes added from the encapsulation causing the data to be transmitted without the need for fragmentation
Robert (guest)
November 16, 2008 at 9:54 p.m. UTC
Thanks Josh. I undestand the concept behind MTU. My questions was IP MTU vs Ethernet MTU, since they refer to the same section of the IP packet and include the payload and IP header. Would you ever have size of Interface MTU different then IP MTU?
Avi (guest)
December 18, 2008 at 10:09 p.m. UTC
sending a ping -l to different remote websites/servers reflects different RTT.What is the best way to twick the windowsize ?(for example pinging the exchange server returned 30msec while pinging a remote website returned 150 msec)
Danny Tsai (guest)
January 29, 2009 at 5:54 a.m. UTC
Different IP MTU/Ethernet MTU,yes it'll used when you're using EoMPLS.In EoMPLS, to prevent fragmentation from occurring. You must reduce IP MTU cuz of overhead from MPLS header of 4 bytes. a PC sends IP packet of 1500 bytes (20 bytes for IP header, 20 for TCP, leaves 1460 for real data payload). You have 18 bytes (6 src mac, 6 dst mac, 2 byte type, 2 CRC) for ethernet frame header. Total ethernet header is 1518 + 4 byte MPLS. An access switch port, max Ethernet MTU is 1518 with headers. 1522 bytes is allowed IF you have a .1Q port. So if its not a trunk port, then it the Eth port will drop higher than 1518 bytes. If u're trying to pass EoMPLS packets thru a switch's port, it will drop if MTU isnt lowered at the source. So thats a scenario
when you would option 1: modify Ethernet MTU to 1504 (plus 18 bytes L2 frame header, which is invisible but its there) and keep IP MTU at 1500 or option 2: reduce the IP MTU to 1496 to accommodate for at least 1 MPLS label over an Ethernet network.
Alexmaid (guest)
July 19, 2009 at 10:21 a.m. UTC
Good article. Now the difference system mtu vs ip mtu vs mtu is clear.
Hadi (guest)
August 9, 2009 at 10:45 a.m. UTC
Danny , thx for the explenation. Nevertheless i have a couple of questions :
I'm a bit surprised how come the EThernet MTU and the IP MTU refer to the same section of the Frame packet
If they do refer to the same section. it doesn't make any sense to have different values
mike (guest)
October 20, 2009 at 1:06 p.m. UTC
I want to talk a little bit about fragmentation. Something that is not quite clear to me:
When the host receives ICMP message "packet too big, fragmentation needed" (type3 code 4), does it reduce the TCP MSS or the actual MTU of the interface?
What is the right way?
It seems that it shall be the MSS, but i saw implementations where the actual MTU is reduced...
November 27, 2011 at 8:27 p.m. UTC
Thank you!
Sajid Iqbal (guest)
April 6, 2012 at 12:24 p.m. UTC
I am network engineer in ISP, we are using tunnel for the customer, but in most cases customer have a complaint that the MTU 1500 is not working, and on lower MTU is working e.g MTU 1484.I have also used the ip df 0 method but issue same,
ROUTER(config-if)ip policy route-map clear-df
So what is the perfect solution to fix it.
November 19, 2012 at 5:20 p.m. UTC
hi. as I've got, you said the IP MTU is the whole IP packet (IP header plus payload); but with refer to thhis link (/forums/p/.aspx#31454), the IP mtu is equal to 1500 byte bt default, but considered to be the size of the IP Payload without any header. am I correct? tnx.
November 25, 2014 at 4:07 p.m. UTC
IP MTU refers to what you set on your Router interface.
Ethernet MTU refers to what the hardware supports.
Ethernet has a built in MTU of 1500, that is why the value doesn't change.
It is based on the physical capability of the wire.
That is also why they are two different things.
Pretty much 99% of the time, the values will be the same.
But if you ever need to adjust the MTU, you would be adjusting the IP MTU.
You can't change the Ethernet MTU unless you re-cable.
Here is proof:
R3(config)#interface FastEthernet0/0
R3(config-if)#mtu 1111
% Interface FastEthernet0/0 does not support user settable mtu.
R3(config-if)#ip mtu 777
R3(config-if)#
R3# show ip int fa0/0
FastEthernet0/0 is up, line protocol is up
MTU is 777 bytes
R3# show int f0/0
FastEthernet0/0 is up, line protocol is up
MTU 1500 bytes, BW 10000 Kbit/sec, DLY 1000 usec---output truncated---
November 30, 2015 at 8:03 a.m. UTC
Thanks , Great Abstract
July 12, 2016 at 9:45 a.m. UTC
This article is really nice. It also helped me brushing up the concept for my own blog. Thanks!
If you allow, here is a link to my own article on the same topic:
Andrey (guest)
September 30, 2016 at 1:09 p.m. UTC
Thanks for the nice article.
Regarding command "ip tcp adjust-mss" - it looks like it doesn't work for transit traffic in case CEF is enabled. It can be applied, but no effect is seen.
Leave a Comment
Guest name
Guest emailO will not be displayed publicly or given out.
Guest URL<input class="form-control" id="id_guest_url" maxlength="200" name="guest_url" placeholder="Guest URL" title="No commercial links. Only personal (e.g. blog, Twitter, or LinkedIn) and/or on-topic links, please." type="url" />No commercial links. Only personal (e.g. blog, Twitter, or LinkedIn) and/or on-topic links, please.
What protocol is used to retrieve web pages?}
You are not logged in.
Topic closed
Registered:
[SOLVED] MS-CHAP[v2] auth, Microsoft VPN client setup with pptpclient
Hi,Have just started with Archlinux and trying to set up a VPN tunnel using pptp.I have been following the guide at:-------------------------------------------------------------------------------------I want to connect to a service from Info from them when connection to Windows XP are:Enter company name &Ipredator&. Click Next.Enter &vpn.ipredator.se& as &Host name or IP address&.I have been given a &USERNAME& and &PASSWORD& from them.-------------------------------------------------------------------------------------I got the VPN tunnel up and running in Ubuntu with the settings.Only enabled MSCHAPv2use MPPE 128 bitand allow data compression, BSD, Deflate and TCP header.-------------------------------------------------------------------------------------My configuration files:options.pptp##################################################
# $Id: options.pptp,v 1.3
23:11:05 quozl Exp $
# Sample PPTP PPP options file /etc/ppp/options.pptp
# Options used by PPP when a connection is made by a PPTP client.
# This file can be referred to by an /etc/ppp/peers file for the tunnel.
# Changes are effective on the next connection.
See &man pppd&.
# You are expected to change this file to suit your system.
# packaged, it requires PPP 2.4.2 or later from [url]http://ppp.samba.org[/url]/
# and the kernel MPPE module available from the CVS repository also on
# [url]http://ppp.samba.org[/url]/, which is packaged for DKMS as kernel_ppp_mppe.
###################################################
# Lock the port
# Authentication
# We don't need the tunnel server to authenticate itself
# We won't do PAP, EAP, CHAP, or MSCHAP, but we will accept MSCHAP-V2
# (you may need to remove these refusals if the server is not using MPPE)
refuse-pap
refuse-eap
refuse-chap
refuse-mschap
# Compression
# Turn off compression protocols we know won't be used
# Encryption
# (There have been multiple versions of PPP with encryption support,
# choose with of the following sections you will use.
Note that MPPE
# requires the use of MSCHAP-V2 during authentication)
# [url]http://ppp.samba.org[/url]/ the PPP project version of PPP by Paul Mackarras
# ppp-2.4.2 or later with MPPE only, kernel module ppp_mppe.o
# Require MPPE 128-bit encryption
# require-mppe-128
# [url]/h/hs001/[/url] fork from PPP project by Jan Dubiec
# ppp-2.4.2 or later with MPPE and MPPC, kernel module ppp_mppe_mppc.o
# Require MPPE 128-bit encryption
# mppe required,stateless
# }}}chap-secrets# Secrets for authentication using CHAP
IP addresses
&USERNAME& pptpd &PASSWORD& *I named my tunnel &ipredator&/etc/ppp/peers/ipredatorpty &pptp vpn.ipredator.se --nolaunchpppd&
name &USERNAME&
remotename Ipredator
require-mppe-128
file /etc/ppp/options.pptp
ipparam ipredatorWhen I try to connect I get following:[root@archlinux ppp]# pon $TUNNEL ipredator dump logfd 2 nodetach
pppd options in effect:
# (from command line)
# (from command line)
# (from command line)
# (from /etc/ppp/options.pptp)
refuse-pap
# (from /etc/ppp/options.pptp)
refuse-chap
# (from /etc/ppp/options.pptp)
refuse-mschap
# (from /etc/ppp/options.pptp)
refuse-eap
# (from /etc/ppp/options.pptp)
name &USERNAME&
# (from /etc/ppp/peers/ipredator)
remotename Ipredator
# (from /etc/ppp/peers/ipredator)
# (from /etc/ppp/options.pptp)
pty pptp vpn.ipredator.se --nolaunchpppd
# (from /etc/ppp/peers/ipredator)
# (from /etc/ppp/options)
# (from /etc/ppp/options)
asyncmap 0
# (from /etc/ppp/options)
lcp-echo-failure 4
# (from /etc/ppp/options)
lcp-echo-interval 30
# (from /etc/ppp/options)
hide-password
# (from /etc/ppp/options)
ipparam ipredator
# (from /etc/ppp/peers/ipredator)
# (from /etc/ppp/options)
# (from /etc/ppp/options.pptp)
# (from /etc/ppp/options.pptp)
require-mppe-128
# (from /etc/ppp/peers/ipredator)
# (from /etc/ppp/options)
Using interface ppp0
Connect: ppp0 &--& /dev/pts/1
MPPE required, but MS-CHAP[v2] auth not performed.
Connection terminated.
[root@archlinux ppp]#I have not managed to understand way MS-CHAP[v2] auth is not performed.Any ideas on what I have missed during my configuration would be most appreciated! use code tags instead of quote since they provide scrollers and keep the thread from becoming a mile long -- Inxsible Thank you!Regards,/Christer
Last edited by agkbill ( 15:23:15)
Forum Fellow
From: Chicago
Registered:
Posts: 9,079
Re: [SOLVED] MS-CHAP[v2] auth, Microsoft VPN client setup with pptpclient
please use BBCode code tags when presenting code or output instead of adding too much whitespace. 
There's no such thing as a stupid question, but there sure are a lot of inquisitive idiots !
Registered:
Re: [SOLVED] MS-CHAP[v2] auth, Microsoft VPN client setup with pptpclient
Thank you for the link to the BBCode code tags, not used to them./Christer
falconindy
From: New York, USA
Registered:
Posts: 4,097
Re: [SOLVED] MS-CHAP[v2] auth, Microsoft VPN client setup with pptpclient
Sounds like the VPN I connect to at work... here's my config (options.pptp is untouched)/etc/ppp/peers/foovpnpty &pptp 1.2.3.4 --nolaunchpppd --loglevel 0&
refuse-eap
refuse-pap
require-mppe
usepeerdns
remotename foovpn
ipparm foovpn/etc/ppp/chap-secrets
&password&
*And of course make sure you're actually using the ppp_mppe module.
Forum Fellow
From: Chicago
Registered:
Posts: 9,079
Re: [SOLVED] MS-CHAP[v2] auth, Microsoft VPN client setup with pptpclient
agkbill, edited your posts to use code tags instead of quote tags since they provide scrollers and keep the thread from becoming a mile long
There's no such thing as a stupid question, but there sure are a lot of inquisitive idiots !
Registered:
Re: [SOLVED] MS-CHAP[v2] auth, Microsoft VPN client setup with pptpclient
Ok, I understand.Thank you./Christer
Registered:
Re: [SOLVED] MS-CHAP[v2] auth, Microsoft VPN client setup with pptpclient
I just found this post: Applied it with my data. # Secrets for authentication using CHAP
IP addresses
&USERNAME& iPred &&PASSWORD&&
vpn.ipredator.septy &pptp vpn.ipredator.se --nolaunchpppd --loglevel 0&
name &USERNAME&
remotename ipred
ipparam iPred
require-mppe-128
refuse-eap
file /etc/ppp/options.pptpBut no luck. Same problem.[root@archlinux ppp]# pon $TUNNEL iPred debug logfd 2 nodetach
using channel 18
Using interface ppp0
Connect: ppp0 &--& /dev/pts/1
sent [LCP ConfReq id=0x1 &asyncmap 0x0& &magic 0x56225fe7& &pcomp& &accomp&]
rcvd [LCP ConfReq id=0x1 &asyncmap 0x0& &auth chap MS-v2& &magic 0x9d43ef0a& &pcomp& &accomp&]
No auth is possible
sent [LCP ConfRej id=0x1 &auth chap MS-v2&]
rcvd [LCP ConfAck id=0x1 &asyncmap 0x0& &magic 0x56225fe7& &pcomp& &accomp&]
rcvd [LCP ConfReq id=0x2 &asyncmap 0x0& &magic 0x9d43ef0a& &pcomp& &accomp&]
sent [LCP ConfAck id=0x2 &asyncmap 0x0& &magic 0x9d43ef0a& &pcomp& &accomp&]
sent [LCP EchoReq id=0x0 magic=0x56225fe7]
MPPE required, but MS-CHAP[v2] auth not performed.
sent [LCP TermReq id=0x2 &MPPE required but not available&]
rcvd [LCP EchoReq id=0x0 magic=0x9d43ef0a]
rcvd [LCP TermReq id=0x3 &peer refused to authenticate&]
sent [LCP TermAck id=0x3]
rcvd [LCP TermAck id=0x2]
Connection terminated.
Script pptp vpn.ipredator.se --nolaunchpppd --loglevel 0 finished (pid 1673), status = 0x0
[root@archlinux ppp]#
falconindy
From: New York, USA
Registered:
Posts: 4,097
Re: [SOLVED] MS-CHAP[v2] auth, Microsoft VPN client setup with pptpclient
You're requiring mppe-128 which isn't what the server wants. the 'require mppe' directive is universal and negotiation will be done to agree on a bit rate.
Registered:
Re: [SOLVED] MS-CHAP[v2] auth, Microsoft VPN client setup with pptpclient
Thank you falconindy,I will do some testing tomorow./Christer
Registered:
Re: [SOLVED] MS-CHAP[v2] auth, Microsoft VPN client setup with pptpclient
To use &require-mppe& did not make any difference.I have tried to figure out from working KVpnc settings how it should be. but no luck.From KVpnc I could see:- VPN gateway: vpn.ipredator.se- Fix path mtu discovery problem: enabled- Use NAT: enabled- Require MPPE: enabled- Refuse 40 bit encryption: enabled- Do not use BSD compression: enabled- Do not use deflate method: enabled- Authorization method: MSCHAP
Registered:
Re: [SOLVED] MS-CHAP[v2] auth, Microsoft VPN client setup with pptpclient
I tried on another archlinux instalation, one that I am running in &virualbox&With identical settings and in &options.pptp& I have # marked refuse-mschap, because in KVpnc I could se that authorization method was MSCHAP.With this settings I do not get &MPPE required, but MS-CHAP[v2] auth not performed.&.But a timeout, for some reason.
From: G?teborg, Sweden
Registered:
Posts: 206
Re: [SOLVED] MS-CHAP[v2] auth, Microsoft VPN client setup with pptpclient
Try and remove the &refuse-xxx& line(s), while keeping the &require-mppe-128& line.In your last posted conf (post #7) you include the options.pptp file with the line &file /etc/ppp/options.pptp&; this seems a bit unnecessary since you already have the necessary settings in the peers file. If you still want to include options.pptp while following my advice (remove the refuse-xxx lines), you'll have to do it in both the peers file and the options.pptp file.
Registered:
Re: [SOLVED] MS-CHAP[v2] auth, Microsoft VPN client setup with pptpclient
Thank you Bebo,I changed my peers file into:pty &pptp vpn.ipredator.se --nolaunchpppd&
name &USERNAME&
remotename Ipredator
require-mppe-128
#file /etc/ppp/options.pptp
ipparam iPredBut not working I am afraid.[root@archlinux ppp]# pon ipredator debug logfd 2 nodetach
using channel 9
Using interface ppp0
Connect: ppp0 &--& /dev/pts/1
sent [LCP ConfReq id=0x1 &asyncmap 0x0& &magic 0x2f33d954& &pcomp& &accomp&]
rcvd [LCP ConfReq id=0x1 &asyncmap 0x0& &auth chap MS-v2& &magic 0x40e03e9b& &pcomp& &accomp&]
No auth is possible
sent [LCP ConfRej id=0x1 &auth chap MS-v2&]
rcvd [LCP ConfAck id=0x1 &asyncmap 0x0& &magic 0x2f33d954& &pcomp& &accomp&]
rcvd [LCP ConfReq id=0x2 &asyncmap 0x0& &magic 0x40e03e9b& &pcomp& &accomp&]
sent [LCP ConfAck id=0x2 &asyncmap 0x0& &magic 0x40e03e9b& &pcomp& &accomp&]
sent [LCP EchoReq id=0x0 magic=0x2f33d954]
MPPE required, but MS-CHAP[v2] auth not performed.
sent [LCP TermReq id=0x2 &MPPE required but not available&]
rcvd [LCP EchoReq id=0x0 magic=0x40e03e9b]
rcvd [LCP TermReq id=0x3 &peer refused to authenticate&]
sent [LCP TermAck id=0x3]
rcvd [LCP TermAck id=0x2]
Connection terminated.
Script pptp vpn.ipredator.se --nolaunchpppd finished (pid 1614), status = 0x0
[root@archlinux ppp]# I was looking at a working log, described at It have the lines:# pon tunnel
Using interface ppp1
Connect: ppp1 &--& /dev/pts/1
Looking for secret in /etc/ppp/chap-secrets for client domain\username server PPTP
Got client domain\username
Got server PPTP
Got secret PPTP
Got client passwordI can not se the &Looking for secret in /etc/ppp/chap-secrets for client domain\username server PPTPGot client domain\username&Does that mean that the line is never read in y case? If so any idea on what is wrong?All input wellcome.
Registered:
Re: [SOLVED] MS-CHAP[v2] auth, Microsoft VPN client setup with pptpclient
The problem was that &PASSWORD& was never found.What is written after &remotename& in peers file in the guide &PPTP& is used to find the password in chap-secreds.But in the guide chap-secrets look like &&USERNAME& pptpd &PASSWORD& *&.Consecuently &PASSWORD& will never be found. It should have been  &&USERNAME& PPTP &PASSWORD& *& then it would have worked OK.The solution was to understand how password was found.require-mppe-128 works fine as well.Now it looks like this.# Secrets for authentication using CHAP
IP addresses
&USERNAME& PPTP &PASSWORD& *pty &pptp vpn.ipredator.se --nolaunchpppd&
name &USERNAME&
remotename PPTP
require-mppe-128
#file /etc/ppp/options.pptp
ipparam ipredatorOutput:[root@archlinux ppp]# pon ipredator debug logfd 2 nodetach
using channel 14
Using interface ppp0
Connect: ppp0 &--& /dev/pts/1
sent [LCP ConfReq id=0x1 &asyncmap 0x0& &magic 0x7540313b& &pcomp& &accomp&]
rcvd [LCP ConfReq id=0x1 &asyncmap 0x0& &auth chap MS-v2& &magic 0xc615076a& &pcomp& &accomp&]
sent [LCP ConfAck id=0x1 &asyncmap 0x0& &auth chap MS-v2& &magic 0xc615076a& &pcomp& &accomp&]
rcvd [LCP ConfAck id=0x1 &asyncmap 0x0& &magic 0x7540313b& &pcomp& &accomp&]
sent [LCP EchoReq id=0x0 magic=0x7540313b]
rcvd [LCP EchoReq id=0x0 magic=0xc615076a]
sent [LCP EchoRep id=0x0 magic=0x7540313b]
rcvd [CHAP Challenge id=0x46 &be769cddc0fd20bc73c03&, name = &pptpd&]
sent [CHAP Response id=0x46 &6ce74a85ab09e4ae223bc85f0dbb8dc66eb62fe72de1e01a4d00&, name = &&USERNAME&&]
rcvd [LCP EchoRep id=0x0 magic=0xc616076a]
rcvd [CHAP Success id=0x46 &S=F2B8C8EF20&]
CHAP authentication succeeded
sent [CCP ConfReq id=0x1 &mppe +H -M +S -L -D -C&]
rcvd [CCP ConfReq id=0x1 &mppe +H -M +S -L -D -C&]
sent [CCP ConfAck id=0x1 &mppe +H -M +S -L -D -C&]
rcvd [CCP ConfAck id=0x1 &mppe +H -M +S -L -D -C&]
MPPE 128-bit stateless compression enabled
sent [IPCP ConfReq id=0x1 &compress VJ 0f 01& &addr 0.0.0.0&]
rcvd [IPCP ConfReq id=0x1 &compress VJ 0f 01& &addr x.x.x.x&]
sent [IPCP ConfAck id=0x1 &compress VJ 0f 01& &addr x.x.x.x&]
rcvd [IPCP ConfNak id=0x1 &addr 93.182.150.56&]
sent [IPCP ConfReq id=0x2 &compress VJ 0f 01& &addr x.x.x.x&]
rcvd [IPCP ConfAck id=0x2 &compress VJ 0f 01& &addr x.x.x.x&]
Cannot determine ethernet address for proxy ARP
IP address
remote IP address x.x.x.x
Script /etc/ppp/ip-up started (pid 1778)
Script /etc/ppp/ip-up finished (pid 1778), status = 0x0All the best!/Christer
syed.jahanzaib
Registered:
Re: [SOLVED] MS-CHAP[v2] auth, Microsoft VPN client setup with pptpclient
@agkbill / ChristerAlthough this post is quite old, but it really helped me
specially the PPTP portion
Administrator
From: Pasadena, CA
Registered:
Posts: 13,514
Re: [SOLVED] MS-CHAP[v2] auth, Microsoft VPN client setup with pptpclient
Closing old thread
Nothing is too wonderful to be true, if it be consistent with the laws of nature -- Michael FaradayYou assume people are rational and influenced by evidence.  You must not work with the public much. -- Trilby----
Topic closed
Powered by| Wednesday, November 5, 2008 at 2:26 a.m. UTC
The Maximum Transmission Unit (MTU) is the maximum length of data that can be transmitted by a protocol in one instance. For example, the MTU of Ethernet (by default 1500) is the largest number of bytes that can be carried by an Ethernet frame (excluding the header and trailer). MTUs are found at various layers of the OSI model, and can often be tweaked to more efficiently transport large volumes of data.
The default Ethernet MTU is 1500 bytes, not including the header or trailer. Sometimes a slightly higher MTU is preferable to accommodate Q-in-Q tunneling or other encapsulation. The MTU can be raised on Cisco IOS with the
command under global configuration:
Switch(config)# system mtu ?
MTU size in bytes
Set Jumbo MTU value for GigabitEthernet or TenGigabitEthernet
interfaces
The maximum MTU is dependent on the hardware platform, but the IEEE 802.3 standards require a minimum MTU of 1500 bytes. Additionally, a jumbo MTU for 1 Gbps and 10 Gbps interfaces can be allowed up to 9000 bytes. Changing either of these values will require a device power cycle.
Switch(config)# system mtu 1508
Changes to the system MTU will not take effect until the next reload is done
Switch(config)# system mtu jumbo 9000
Changes to the system jumbo MTU will not take effect until the next reload is done
Switch# show system mtu
System MTU size is 1500 bytes
On next reload, System MTU will be 1508 bytes
System Jumbo MTU size is 1500 bytes
On next reload, System Jumbo MTU will be 9000 bytes
As with Ethernet frames, the MTU can be adjusted for IP packets. However, the IP MTU is configured per interface rather than system-wide, with the
Router(config)# interface f0/0
Router(config-if)# ip mtu ?
MTU (bytes)
Notice that the maximum IP MTU is capped at the Ethernet MTU, because it is being applied to an Ethernet interface. The configured IP MTU determines how large a packet to be transmitted out the interface may be. IP packets larger than the MTU are discarded, and may prompt the router to send a Fragmentation Needed ICMP packet back to the source to facilitate .
It's also worth noting that while the Ethernet and IP MTUs effectively refer to the same section of an IP/Ethernet packet, they can be configured independently. For example, assume we want to shrink the IP MTU of an interface to 1200 bytes:
Router(config)# interface f0/0
Router(config-if)# ip mtu 1200
The IP MTU has been modified from its default of 1500:
Router# show ip interface f0/0
FastEthernet0/0 is up, line protocol is up
Internet address is 10.0.0.1/24
Broadcast address is 255.255.255.255
Address determined by setup command
MTU is 1200 bytes
However, the interface's Ethernet MTU remains unchanged:
Router# show interface f0/0
FastEthernet0/0 is up, line protocol is up
Hardware is Gt96k FE, address is c200. (bia c200.)
Internet address is 10.0.0.1/24
MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec,
reliability 255/255, txload 1/255, rxload 1/255
There are two contexts in which the TCP Maximum Segment Size (MSS) can be configured: transient traffic and terminating traffic.
Transient Traffic
When a TCP client initiates a connection to a server, it includes its MSS as an option in the first (SYN) packet. On an Ethernet interface, this value is typically
byte Ethernet MTU - 20 byte IP header - 20 byte TCP header).
However links beyond the host often have a lower effective MSS and full-size packets from the client may be dropped. To inspect and alter the MSS option included in TCP SYN packets passing through the router, use the
command on the interface:
Router(config)# interface f0/0
Router(config-if)# ip tcp adjust-mss ?
Maximum segment size in bytes
Terminating Traffic
Terminating traffic refers to TCP packets which originate from or are destined for the local router (for example, SSH or BGP). In this context, the router itself is considered the TCP client and/or server. The local MSS can be configured with the
command under global configuration:
Router(config)# ip tcp mss ?
&68-10000&
About the Author
Jeremy Stretch is a network engineer living in the Raleigh-Durham, North Carolina area. He is known for his blog and cheat sheets here at Packet Life. You can reach him by
or follow him on .
Rajesh (guest)
November 5, 2008 at 3:46 a.m. UTC
I had some ongoing issue with a certain application and its very much related to MTU/MSS sizes. After some research as a bandaid solution i applied ip tcp mss-adj 1300 on the lan interface which fixed the issue.
I really can't differenciate much between MSS and MTU and how it's affectiong sites which sits behind some old firewall.
Vaidotas (guest)
November 5, 2008 at 7:48 a.m. UTC
Is "ip tcp adjust-mss" applied to incoming packet only?
Vaidotas (guest)
November 5, 2008 at 7:51 a.m. UTC
MSS is IP packet size without IP header and next header (for exm. TCP). So max IP packet is 1500 (MTU), segment size is 1500B - 20B(ip) -20B(TCP) = 1460.
November 5, 2008 at 9:36 a.m. UTC
MSS is the maximum amount of data inside a tcp segment not including the headers.
This MSS is established during the tcp connection establishment.
Since TCP is a bidirectional protocol, the lowest of the two values (on each host) is agreed upon.
This is different then IP MTU that is unidirectional (each direction can have a different MTU).
IP MTU also includes the headers.
The negotiation of the MTU size is often broke by firewalls when misconfigured to block all icmp.
Concerning the IP TCP ADJUST-MSS command, it works in both directions to spoof a host down to that level.
If a router receives or sends a segment through an interface with that command, the mss will be adjusted down to that point.
If the MSS in the segment is already smaller, it is left untouched.
This is most commonly used on PPPoE.
Danail Petrov (guest)
November 5, 2008 at 10:36 a.m. UTC
Nice work, Stretch! Congratulations once again for the great explanation. Furthermore you can mention something about the windows size and his reflection to TCP session. Moreover, It would be great to explain the latency influence as well. I mean, how the latency is reflected to the TCP session in between two TCP communication stations (lets say that we have two TCP speakers and 1Mbps T1 line in between. What would be in theory the maximum TCP throughput per session) and so on.
I'm just giving a suggestion of course :)
Tom (guest)
November 6, 2008 at 10:20 p.m. UTC
It's time for my first comment on this clean and clever blog.
I'll just mention in addition to PPPoE that adjust-mss is also used when using GRE tunnels or IPSec. Some protocols set the DontFragment bit (ie. SMB/CIFS) and don't reall)
Keep producing interesting posts a)
Robert (guest)
November 12, 2008 at 3:23 a.m. UTC
A question, would you ever change the IP MTU to a lower value then the interface MTU in a real world scenario?
Thank you for a very good post.
Josh (guest)
November 14, 2008 at 5:56 p.m. UTC
You may have to create a lower MTU if the packet has to be encapsulated which would in effect add to the total size of the packet.
Since the MTU only accounts for the size of the IP/TCP headers and data the encapsulated headers are missed and possibly causing the packet size to exceed the MTU
Lowering the MTU size could offset the additional bytes added from the encapsulation causing the data to be transmitted without the need for fragmentation
Robert (guest)
November 16, 2008 at 9:54 p.m. UTC
Thanks Josh. I undestand the concept behind MTU. My questions was IP MTU vs Ethernet MTU, since they refer to the same section of the IP packet and include the payload and IP header. Would you ever have size of Interface MTU different then IP MTU?
Avi (guest)
December 18, 2008 at 10:09 p.m. UTC
sending a ping -l to different remote websites/servers reflects different RTT.What is the best way to twick the windowsize ?(for example pinging the exchange server returned 30msec while pinging a remote website returned 150 msec)
Danny Tsai (guest)
January 29, 2009 at 5:54 a.m. UTC
Different IP MTU/Ethernet MTU,yes it'll used when you're using EoMPLS.In EoMPLS, to prevent fragmentation from occurring. You must reduce IP MTU cuz of overhead from MPLS header of 4 bytes. a PC sends IP packet of 1500 bytes (20 bytes for IP header, 20 for TCP, leaves 1460 for real data payload). You have 18 bytes (6 src mac, 6 dst mac, 2 byte type, 2 CRC) for ethernet frame header. Total ethernet header is 1518 + 4 byte MPLS. An access switch port, max Ethernet MTU is 1518 with headers. 1522 bytes is allowed IF you have a .1Q port. So if its not a trunk port, then it the Eth port will drop higher than 1518 bytes. If u're trying to pass EoMPLS packets thru a switch's port, it will drop if MTU isnt lowered at the source. So thats a scenario
when you would option 1: modify Ethernet MTU to 1504 (plus 18 bytes L2 frame header, which is invisible but its there) and keep IP MTU at 1500 or option 2: reduce the IP MTU to 1496 to accommodate for at least 1 MPLS label over an Ethernet network.
Alexmaid (guest)
July 19, 2009 at 10:21 a.m. UTC
Good article. Now the difference system mtu vs ip mtu vs mtu is clear.
Hadi (guest)
August 9, 2009 at 10:45 a.m. UTC
Danny , thx for the explenation. Nevertheless i have a couple of questions :
I'm a bit surprised how come the EThernet MTU and the IP MTU refer to the same section of the Frame packet
If they do refer to the same section. it doesn't make any sense to have different values
mike (guest)
October 20, 2009 at 1:06 p.m. UTC
I want to talk a little bit about fragmentation. Something that is not quite clear to me:
When the host receives ICMP message "packet too big, fragmentation needed" (type3 code 4), does it reduce the TCP MSS or the actual MTU of the interface?
What is the right way?
It seems that it shall be the MSS, but i saw implementations where the actual MTU is reduced...
November 27, 2011 at 8:27 p.m. UTC
Thank you!
Sajid Iqbal (guest)
April 6, 2012 at 12:24 p.m. UTC
I am network engineer in ISP, we are using tunnel for the customer, but in most cases customer have a complaint that the MTU 1500 is not working, and on lower MTU is working e.g MTU 1484.I have also used the ip df 0 method but issue same,
ROUTER(config-if)ip policy route-map clear-df
So what is the perfect solution to fix it.
November 19, 2012 at 5:20 p.m. UTC
hi. as I've got, you said the IP MTU is the whole IP packet (IP header plus payload); but with refer to thhis link (/forums/p/.aspx#31454), the IP mtu is equal to 1500 byte bt default, but considered to be the size of the IP Payload without any header. am I correct? tnx.
November 25, 2014 at 4:07 p.m. UTC
IP MTU refers to what you set on your Router interface.
Ethernet MTU refers to what the hardware supports.
Ethernet has a built in MTU of 1500, that is why the value doesn't change.
It is based on the physical capability of the wire.
That is also why they are two different things.
Pretty much 99% of the time, the values will be the same.
But if you ever need to adjust the MTU, you would be adjusting the IP MTU.
You can't change the Ethernet MTU unless you re-cable.
Here is proof:
R3(config)#interface FastEthernet0/0
R3(config-if)#mtu 1111
% Interface FastEthernet0/0 does not support user settable mtu.
R3(config-if)#ip mtu 777
R3(config-if)#
R3# show ip int fa0/0
FastEthernet0/0 is up, line protocol is up
MTU is 777 bytes
R3# show int f0/0
FastEthernet0/0 is up, line protocol is up
MTU 1500 bytes, BW 10000 Kbit/sec, DLY 1000 usec---output truncated---
November 30, 2015 at 8:03 a.m. UTC
Thanks , Great Abstract
July 12, 2016 at 9:45 a.m. UTC
This article is really nice. It also helped me brushing up the concept for my own blog. Thanks!
If you allow, here is a link to my own article on the same topic:
Andrey (guest)
September 30, 2016 at 1:09 p.m. UTC
Thanks for the nice article.
Regarding command "ip tcp adjust-mss" - it looks like it doesn't work for transit traffic in case CEF is enabled. It can be applied, but no effect is seen.
Leave a Comment
Guest name
Guest emailO will not be displayed publicly or given out.
Guest URL<input class="form-control" id="id_guest_url" maxlength="200" name="guest_url" placeholder="Guest URL" title="No commercial links. Only personal (e.g. blog, Twitter, or LinkedIn) and/or on-topic links, please." type="url" />No commercial links. Only personal (e.g. blog, Twitter, or LinkedIn) and/or on-topic links, please.
What protocol is used to retrieve web pages?}
我要回帖
更多推荐
- ·外贸企业用什么订单无人配送机器人人?
- ·vivo手机系统分身在哪怎么开启应用分身?
- ·请问大家惠州市龙丰社区卫生服务中心电话博罗县怡霖阁是那个社区管辖的,联系电话是多少,谢谢
- ·如何确认唯赛勃膜壳是否是高仿和正品的区别在哪?
- ·怎么想生个男孩有什么方法儿子啊,大家可以推荐嘛?
- ·南华大学2015届新生开学典礼发言稿能立马换专业吗?
- ·请问手机工程模式cellinfolistrate设置是什么意思?
- ·下了雪山我们回到丽江四方街客栈上午后
- ·蜜蔻团队是个什么样的团队
- ·山师大历山学院有少数民族中考加分政策加分吗
- ·身长两米的棱皮龟和企鹅的嘴海龟有多重
- ·为什么我每次差正晚点都是目前支付宝暂无手机联系人
- ·要锻造直径为50.8mm的球,是否可以选择直径为26mm的中国圆钢锻造企业?
- ·鱼缸沉木长白毛怎么办上的白毛窝牛会吃吗
- ·水利甲级,房建甲级,市政甲级监理市政工程甲级设备公司值多少钱
- ·蜜蔻蔻辰严妍团队宣传片是个什么蔻辰严妍团队宣传片
- ·大神手机开不了机机,求大神解答
- ·2016河南本科一批录取三批省外录取时间
- ·小时候路边常常见到 就像港式小吃有哪些里面的蛋仔差不多的样子 制作的叶差不太多 但是是实心的 然后很软
- ·电镀起泡原因缓冲轮停不下有哪些原因
- ·mssyouuergnuup翻译gnu make中文手册 pdf
- ·轻轻回眸,柔情似水是什么服务.是什么意思
- ·聚乙烯为什么是混合物与氯化钠长期混合会起化学反应吗?对人有害吗?
- ·8月4日z165车次晚了
- ·阿蜜蔻咖啡团队是个什么样的团队
- ·砖厂石门县关闭粘土砖厂是用来提高塑性吗
- ·后箐勤山小学武警后勤学院毕业去向的成绩
- ·蜜蔻团队蜜蜡烧后是什么样的的团队
- ·方孝孺字希直宁海人左边是子还是孑
- ·2015年小麦收购价格几月会上涨2015
- ·总是弹出新浪秀场直播间舞区和美女直播什么的
- ·联想性2015年神舟性价比最高笔记本的笔记本
- ·红包锁屏邀请码下载完为什么没有解锁界面
- ·求偶像片 颜值希望高些,瘟疫公司 终极困难系列里那些演员们那时候颜值不高还是环境的困难,人物不太好看,不要想桃花
- ·逆战僵尸猎场秒杀辅助那样的辅助好用吗、是不是很差?
