How to Find Maximum Size of IP Data Payload that can Traverse WAN Environment Without Fragmentation
Article ID: CTX115434
Updated On:
Description
Citrix SD-WAN, formerly NetScaler SD-WAN
This article describes how to find out the maximum size of IP data payload that can traverse a WAN environment without fragmentation.
Background
The CloudBridge acceleration parameters are sent through TCP options, which use the space in the IP data payload. The maximum segment size (MSS) limits IP data payload size, that is defined as 1,380 bytes by default in a CloudBridge appliance, assuming the WAN infrastructure allows a standard IP packet maximum transmission unit (MTU) size of 1,500 bytes.
Some scenarios in the field have shown that some WAN infrastructures might not provide enough space for MSS of 1,380 bytes because additional protocol headers are added to the IP packets. Examples of those WAN infrastructures are:
-
Public dial networks using Point-to-Point Protocol over Ethernet (PPPoE), namely as a virtual private dial-up network (VPDN).
-
Virtual Private Networking (VPN) tunneling protocols such as IP Security (IPSec).
If significant protocol overheads are added, CloudBridge packets are fragmented and acceleration does not happen.
In some cases, routers in the WAN path of the CloudBridge peers can negotiate MSS and advertise the MSS to the host computers. This is done by responding to the oversized packet with an "unreachable" Internet Control Message Protocol (ICMP) packet. Because of the strict IT security standards, ICMP packets might be dropped in the WAN path. If this occurs, host computers cannot know the correct MSS. In this case, manual MSS tuning is the workaround solution for acceleration to occur properly on the CloudBridge appliance.
Requirements
You must be able to access the Windows command prompt.
Instructions
To find the Maximum Size of IP Data Payload, complete the following steps:
-
Open the command prompt in a Windows computer that connects behind the local end CloudBridge appliance.
-
Ping the remote end CloudBridge appliance using the do not fragment option:
ping –l <data size> –f <ip_address>
For example: ping –l 1472 –f 10.217.97.6 -
For a CloudBridge client, ping the terminated CloudBridge appliance.
For standard MTU of 1500 bytes, the maximum data size is 1472 bytes (MTU minus 20 bytes IP header and 8 bytes for the ICMP header).
If a standard MTU size is not allowed, the following error message appears:
Reply from 10.40.1.8: Packet needs to be fragmented but DF set. Packet needs to be fragmented but DF set.
-
Reduce the data size and repeat the command in Step 2 until no error is displayed:
ping –l 1172 –f 10.217.97.6 -
Repeat these steps to find out the maximum data size that can be pinged without an error.
-
Calculate the difference between the standard and reduced data size. For example:
1472 bytes – 1172 bytes = 300 bytes -
If necessary, adjust the local CloudBridge MSS to fit into the data payload size, reducing the same offset found with the ping command. For example:
MSS = 1080 bytes (1380 – 300)
Issue/Introduction
Additional Information
MTU: Defines the maximum number of bytes for IP packets including IP header, protocol headers such as, TCP or UDP, and data payload. Protocol headers can be combination of different headers. For example: IPSec has TCP or UDP, AH, and ESP headers.
MSS: Defines the maximum number of bytes after the protocol headers. In other words, MSS is the maximum size of the data payload.
The MSS settings on CloudBridge appliances should be the same on all CloudBridge appliances (lower of the bunch). It is not negotiated but only advertised.
Let us say after finding maximum transmissions, we find the following results:
branch A <> DC has MSS at 1350
branch B <> DC has MSS at 1320
branch C <> DC has MSS at 1310
All branches + DC need to have it set at 1310 (which is the lowest of the total).
