04-25-2013 07:05 AM
I have checked the Web, Aruba documentation and this forum and there is no mention (at all) of TCP MSS adjustments. The reason to open this thread is to check whether anyone has had a look at this or whether this is something that gets sorted under the hood.
Recently troubleshooting a multi-vendor network I've noticed that for traffic connecting to the Aruba Controllers has the MTU Adjusted for all traffic that is tunneled between two Aruba Controllers.
Basically what I'm seeing is:
- Client sends TCP SYN with MSS=1460
- Server replies TCP SYNACK with MSS=986
Same server other vendor MSS stays 1460.
The traffic crosses a tunnel between 2 Aruba Controllers and there is no MTU defined and the Tunnel MTU is set to 1100 (based on a 'show interface tunnel x').
I'm wondering whether I'm seeing PMTUD at work - however my packet captures do not show any ICMP where the MTU is determined. Or is there a TCP MSS adjust/rewrite happening within the Aruba's ?
I'm hesitant on raising a TAC case - as it's not really a problem - it's more something that seems to be happening and we like better understand. Any ideas?
04-25-2013 10:09 AM
Ok it seems I'll answering my own question :)
From what I'm seeing traffic from AP-> Controller which is GRE encapsulated does not copy the DF bit from the original IP header into the IP GRE IP header - which breaks PMTUD for the client. However closer inspection from Controller to AP the DF is copied in that IP Header.
So the PMTUD is only working in one direction and that explains why I on the client behind the AP side did not see the ICMP messages that lowered the TCP MSS.
So as a follow-up question - is it normal that the DF bit is only copied in the GRE IP header from Controller to AP but not the other way?
04-26-2013 12:02 AM
Traffic from the AP to the controller is encrypted and then decrypted at the controller. Turn on Control Plane Security on the controller and then Turn on Decrypt Tunnel on the Virtual AP and see if that is still the case.
Aruba Customer Engineering
Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base
04-29-2013 03:31 AM
I'll try that when I'm back in the office later this week and will post results as I believe it could be interesting for others to see as well.
The traffic from AP to controller being encrypted makes sense - however I would imagine this being the other way around as well or is the encryption only from AP->Controller and not Controller->AP? The difference I found is that the DF (if set) bit gets copied in the path Controller->AP but not the other way around.
I'll switch Control-Panel Security on/off as well as Decrypt Tunnel and see whether it makes a difference.
Thanks for the follow-up :)