pMTU discovery

Bernhard Schmidt berni at birkenwald.de
Thu May 31 05:44:20 EDT 2012 

Hi,

we're currently testing OpenConnect 3.20 against our new shiny ASA Beta 
which finally does IPv6 transport. However, when we do use that, we have 
MTU problems on the link. The official AnyConnect client works fine.

In the server side debug we see this for AnyConnect over IPv6:

...input: 'X-CSTP-Base-MTU: 1500'
Processing CSTP header line: 'X-CSTP-Base-MTU: 1500'
webvpn_cstp_parse_request_field()
[...]
webvpn_cstp_parse_request_field()
...input: 'X-CSTP-MTU: 1379'
Processing CSTP header line: 'X-CSTP-MTU: 1379'
webvpn_cstp_parse_request_field()
[...]
Iphdr=40 base-mtu=1500 def-mtu=1500 conf-mtu=1406
tcp-mss = 1380
path-mtu = 1380(mss)
mtu = 1380(path-mtu) - 12(opts) - 5(ssl) - 8(cstp) = 1355
tls-mtu = 1355(mtu) - 20(mac) = 1335
DTLS Block size = 16
mtu = 1500(base-mtu) - 40(ip) - 8(udp) - 13(dtlshdr) - 16(dtlsiv) = 1423
mod-mtu = 1423(mtu) & 0xfff0(complement) = 1408
dtls-mtu = 1408(mod-mtu) - 1(cdtp) - 20(mac) - 1(pad) = 1386
computed tls-mtu=1335 dtls-mtu=1386 conf-mtu=1406
DTLS enabled for intf=4 (Public)
tls-mtu=1335 dtls-mtu=1386
[...]
Sending X-CSTP-MTU: 1335
Sending X-DTLS-MTU: 1386

And for AnyConnect over IPv4:

...input: 'X-CSTP-MTU: 1399'
Processing CSTP header line: 'X-CSTP-MTU: 1399'
webvpn_cstp_parse_request_field()
...input: 'X-CSTP-Base-MTU: 1500'
Processing CSTP header line: 'X-CSTP-Base-MTU: 1500'
webvpn_cstp_parse_request_field()

[...]
Iphdr=20 base-mtu=1500 def-mtu=1500 conf-mtu=1406
tcp-mss = 1380
path-mtu = 1380(mss)
mtu = 1380(path-mtu) - 12(opts) - 5(ssl) - 8(cstp) = 1355
tls-mtu = 1355(mtu) - 20(mac) = 1335
DTLS Block size = 16
mtu = 1500(base-mtu) - 20(ip) - 8(udp) - 13(dtlshdr) - 16(dtlsiv) = 1443
mod-mtu = 1443(mtu) & 0xfff0(complement) = 1440
dtls-mtu = 1440(mod-mtu) - 1(cdtp) - 20(mac) - 1(pad) = 1418
computed tls-mtu=1335 dtls-mtu=1418 conf-mtu=1406
DTLS enabled for intf=4 (Public)
tls-mtu=1335 dtls-mtu=1418
[...]
Sending X-CSTP-MTU: 1335
Sending X-DTLS-MTU: 1418



But OpenConnect (regardless of IPv4 or IPv6)

...input: 'X-CSTP-MTU: 1406'
Processing CSTP header line: 'X-CSTP-MTU: 1406'
webvpn_cstp_parse_request_field()
[...]
Computing the legacy svc_mtu
Default svc_mtu=1406
tls-mtu=1406 dtls-mtu=0
Legacy mode so default dtls mtu to tls mtu
[...]
Sending X-CSTP-MTU: 1406



a) I'm assuming the ASA is calculating this from the Base-MTU, which is 
a field openconnect is not sending. We haven't tried this on 
MTU-challenged paths yet, is AnyConnect just guessing or actively 
measuring this?

b) Does anyone have more details? Might sending Base-MTU additionally be 
enough?

Thanks,
Bernhard

More information about the openconnect-devel mailing list