How to Change the Maximum Segment Size on a NetScaler Appliance
Article ID: CTX117322
Updated On:
Description
This article describes how to change the Maximum Segment Size (MSS) for all sourced packets from a NetScaler appliance.
Requirements
- Command line access to the NetScaler appliance through the console or a Secure Shell (SSH) client
- General knowledge of the NetScaler Command Line Interface (CLI) and UNIX shell navigation
Background
TCP MSS is defined in Request for Comments (RFC) 879. The MSS of a TCP transaction represents the maximum segment size that a receiving station is configured to accept. With some exceptions, the NetScaler appliance defaults to the MSS of 1,460 bytes and writes this value to all TCP packets originating from it. This 1,460 MSS value is written to the options section in a TCP packet.
The following screen shot shows a network trace capture where the MSS of a NetScaler appliance is highlighted. The MSS value is highlighted in the detail window:
In some cases it may be necessary to change the default NetScaler MSS of 1,460 bytes to a different value in order to force an intermediary network device such as a PIX firewall to allow traffic between the NetScaler and another device.
By default, a PIX firewall running version 7.x software enforces the MSS value of the receiving device (such as a server running Web Interface) upon the traffic of the sending device (such as the NetScaler).
In this scenario, users access resources on a Web Interface server through a NetScaler. In the TCP handshake between the NetScaler and Web Interface server, the initial SYN packet from the NetScaler is sent with the MSS advertised at 1,460 bytes.
The next transaction in the TCP handshake is for the receiving device to respond with a SYN ACK packet where it declares its own MSS.
When a PIX firewall running version 7.x software exists between the NetScaler and the receiving device, both of the advertised MSS values in the TCP transaction are cached on the PIX. By default, the PIX firewall drops any packets with a MSS value higher than one advertised by the receiving device. The following screen shot illustrates what happens after the TCP handshake is completed if the end-user requests a Web resource from the Web Interface server through the NetScaler.
The enforcement of the receiving device's MSS value is a method of congestion avoidance and can be disabled in the PIX firewall. However, if you cannot disable MSS enforcement on the firewall, the NetScaler does allow you to change of the system-wide MSS value. This article describes how to do this through the NSAPIMGR component of the NetScaler CLI and preserve the change when the appliance restarts.
Note: By default, changes made in the NSAPIMGR are lost after a restart.
Instructions
Complete the following procedure:
- Using a direct console or SSH client connection to the NetScaler, log on and navigate to the shell prompt.
-
Run the following command to verify the current system-wide MSS value on the NetScaler:
nsapimgr -d allsisThe output should resemble the following text:
------------------begin snippet--------------- login as: nsroot Using keyboard-interactive authentication. Password: Last login: Thu May 22 15:35:58 2008 from 10.54.76.33 Done GA-NS4> shell Last login: Thu May 22 19:05:53 from 10.54.76.33 root@ns# nsapimgr -d allsis Displaying all server info entries ... Idx Address Flags if st srvr clts MSS pool idltime server-IP-port 0 E57FF4B4 24000010 83 1 0 0 1460 0 11475280 127.0.0.2 53 1 E57FED80 04040000 83 7 0 1 1460 0 11475280 127.0.0.18777 2 E57FE64C 04040000 a 7 1 0 1460 1 12691 127.0.0.1 8766 3 E57FDF18 04040000 83 7 0 0 1460 0 11475280 127.0.0.1 7776 4 E57FD7E4 44062000 a 7 4 2 1460 0 0 10.54.80.31 0 5 E57FD0B0 44062000 83 7 0 0 1460 0 11475280 10.54.80.31 0 6 E57FC97C 44062000 83 7 0 0 1460 0 11475280 10.54.80.31 21 7 E57FC248 04068000 a 7 17 0 1460 0 303 127.0.0.1 80 8 E57FBB14 04042000 83 7 0 0 1460 0 11475280 127.0.0.1 3013 9 E57FB3E0 74060000 83 7 0 0 1460 0 11475280 10.54.80.31 3008 10 E57FACAC 74060000 83 7 0 0 1460 0 11475278 10.54.80.31 443 11 E57FA578 44062000 a 7 0 0 1460 0 11471137 10.54.80.31 22 12 E57F9E44 04040000 83 7 0 1 1460 0 11475265 10.54.80.31 3011 13 E57F9710 24040000 83 7 0 0 1460 0 11475265 10.54.80.31 3009 14 E57F8FDC 44062000 83 7 0 0 1460 0 11475251 241.0.0.1 22 15 E57F88A8 44062000 83 7 0 0 1460 0 11475251 241.0.0.1 23 16 E57F8174 44062000 83 7 0 0 1460 0 11475251 241.0.0.2 22 17 E57F7A40 44062000 83 7 0 0 1460 0 11475251 241.0.0.2 23 18 E57F1C9C 84040008 83 7 0 0 0 0 1254541 127.0.0.1 514 19 E57F64A4 F6040008 83 7 0 0 1460 0 1254521 10.54.80.33 3008 20 E57F5D70 F6040008 83 7 0 0 1460 0 1254507 10.54.80.33 443 21 E57EDBC8 A400A008 83 1 0 0 0 0 1254490 10.54.76.38 80 22 E57F1568 A400A008 83 1 0 0 0 0 1254490 10.217.97.251 443 23 E57F3238 A4000018 83 1 0 0 1460 0 1254487 10.54.76.36 53 24 E57F40A0 A6000018 83 1 0 0 1460 0 1254487 10.54.80.155 443 25 E57F2B04 A6000208 83 7 0 0 1460 0 1254487 172.16.1.30 443 26 E57F47D4 A6000208 83 7 0 0 1460 0 1254478 172.16.1.30 14348 27 E57F396C A6000208 83 7 0 0 1460 0 1254478 10.54.80.160 443 28 E57ED494 A6000208 83 7 0 0 1460 0 1254456 10.54.80.160 14348 29 E57F563C A2000018 83 7 7 0 1460 0 1254456 0.0.0.0 0 30 E57EE2FC A400C008 83 1 0 0 0 0 1254444 10.54.76.32 53 31 E57F0E34 2440E000 2 7 7 0 1212 0 274 10.217.97.45 443 32 E57EEA30 A6008008 83 1 0 0 0 0 1254401 0.0.0.0 80 33 E57F730C 82008008 83 1 0 0 0 0 1254401 0.0.0.0 80 34 E57ECD60 86048008 83 1 0 0 0 0 1254401 10.54.76.38 443 35 E57EF898 86048008 83 1 0 0 0 0 1254401 10.54.76.39 80 36 E57EC62C 86048008 83 1 0 0 0 0 1254400 10.54.76.34 443 37 E57F4F08 86048008 2 7 0 0 1212 0 15 10.12.36.196 80 38 E57F0700 A6008008 83 1 0 0 0 0 1254396 0.0.0.0 80 39 E57EFFCC 82008008 83 1 0 0 0 0 1254396 10.54.76.38 80 40 E57F23D0 82048008 2 7 18 0 1212 0 301 10.12.36.196 8080 41 E57EF164 82048008 83 1 1 0 0 0 1254396 10.54.76.38 8080 42 E57EBEF8 86000008 1 7 1 0 1340 0 8877 10.54.80.32 3011 43 E57F6BD8 86000008 83 1 0 0 0 0 1188153 127.0.0.1 3021 root@ns# --------------------------end snippet---------------------------------------------
-
With a few exceptions, the advertised MSS value is 1460. In this example the MSS value is changed from 1460 to 1380. To change the value to match that of the receiving device, run the following command on the NetScaler CLI:
Note: If you are connected to the NetScaler through the network, you will lose connectivity at this point because all existing connections to and from the NetScaler are reset. This includes all user and application connections. You can reconnect to the NetScaler at this point.
nsapimgr -ys ns_max_mss=1380 -
Run the nsapimgr -d allsis command again and verify that all the previous 1460 values in the MSS column have been changed to 1380.
-
Verify that a rc.netscaler file exists in which to write the entry for the NSAPIMGR command. At the NetScaler shell prompt, navigate to /nsconfig/ and list the contents to verify that the rc.netscaler file exists. The following is the sample output:
-------------------------begin snippet---------------------------------- root@ns# cd nsconfig root@ns# ls ZebOS.conf license ns.conf.NS6.1 ZebOS.conf.0 localtime ns.conf.NS7.0 ZebOS.conf.1 monitors ns.lic ZebOS.conf.2 ns.6backup.lic ns4.conf ZebOS.conf.3 ns.conf nstrace.conf ZebOS.conf.4 ns.conf.0 ntp.conf ZebOS.conf.NS6.0 ns.conf.1 snmpd.conf ZebOS.conf.NS7.0 ns.conf.2 ssh ZebOS.conf.bak ns.conf.3 ssl ZebOS.conf.mig ns.conf.4 htmlinjection ns.conf.NS6.0 root@ns# ------------------------end snippet---------------------------------------
-
If the rc.netscaler file does not exist, create one in /nsconfig/ and insert the NSAPIMGR command so this file is read every time the appliance is started.
--------begin snippet---------------------------------------------- root@ns# vi rc.netscaler nsapimgr -ys ns_max_mss=1380 ~ ~ ~ ~ ~ ~ rc.netscaler: unmodified: line 1 --------end snippet-----------------------------
Refer to the UNIX vi editor commands to operate this change and save.
Issue/Introduction
Additional Information
This article also applies to NetScaler appliances running Access Gateway Enterprise Edition.
