dropping UDP packets in openconnect VPN

David Woodhouse dwmw2 at infradead.org
Wed Aug 17 15:47:15 EDT 2011 

On Wed, 2011-08-17 at 12:25 -0700, er0ck wrote:
> i'm a user, not an admin. i don't have shell access to the afs
> servers, don't think i can run tcpdump on that end.

ISTR it's distinctly non-trivial to set up your own AFS server that you
can test with, right?

> however, this is silly, but it looks like reducing the MTU has made
> afs MUCH more snappy.
> the vpn server was giving me an MTU of 1602.  my gig ethernet sans
> jumbo frames is set to 1500.  1602 seems pretty big.
> i asked another user what his MTU was set to on AT&T client 1362.  i
> used that and it seems snappy.

If you're at home or something, the odds are *very* low that you
actually have an MTU of 1602 (+VPN overhead) all the way to the VPN
server. If you're *lucky*, each packet is fragmented into two and
reassembled at the other end. If you're unlucky, the big packets are
just going missing and you're eventually falling back to smaller packets
which works, and that's why it's slow.

> any advice on theory of how to optimize this?

Let's assume you're using DTLS (VPN over UDP between you and the VPN
server).

The overhead on a VPN packet is:
 IP header:              20 bytes
 UDP header:              8 bytes
 DTLS header:            13 bytes
 Cisco VPN packet type:   1 byte

Total: 42 bytes.

So, if you're on a normal Internet link with 1500-byte MTU, your optimum
packet size will be 1458 bytes. If you're using PPPoE, your Internet MTU
will be 1492 and your optimum packet size will be 1450 bytes.

For some reason the default MTU in OpenConnect is set to 1406; I don't
quite know why. Perhaps that was calculated based on overhead in TCP
mode, or maybe I just pulled a number out of my arse.

I *thought* that the server would return only a *smaller* MTU than the
one we requested, but if you're getting 1602 then that seems to be
incorrect. Can you show the MTU-related output of 'openconnect -v' when
you connect to the server?

> thanks again for all your help.
> ______________________________________________
> Too brief? Here's why: http://emailcharter.org

Not too brief at all. Far from it, in fact. You quoted far *more* of the
previous message than you should have done... you should only repeat
parts of the previous message that are absolutely needed for context.

-- 
dwmw2

More information about the openconnect-devel mailing list