How to change the Maximum Transfer Unit (MTU) on the GRE tunnel?

By Arunkumar posted Jun 29, 2014 12:19 PM


Environment : Aruba Mobility Controller AOS version


GRE tunnel is created between the Access Point and controller to for the Service Set Identifier (SSID). The default MTU for the GRE tunnel is 1500 bytes for the Campus Access Point (CAP) and 1200 bytes for the Remote Access Point (RAP). In some deployment scenario, the CAP is install in the branch office is connected to the corporate network via the IPSEC tunnel established between two external VPN endpoints. Packet fragmentation will occur if the MTU size for the GRE tunnel is at the default of 1500 bytes. Packets fragmentation will generally cause degraded throughput and performance. 

Perform the following steps to change the MTU to 1200 bytes to avoid packet fragmentation for this deployment scenario. 

Web UI: 
1. Login with your administrator account username and password. 
2. Click on Configuration -> WIRELESS (AP Configuration) -> Select the AP Group name where the change is needed -> AP (AP system) -> General (SAP MTU), Enter 1200 
3. Click APPLY 
4. Click Save configuration 

1. SSH to the master mobility controller with the administrator username and password. 
2. Enter the enable mode if bypass is disabled. 
3. Note down the name of the AP GROUP where the change is needed. 
3. Type "config t" 
4. Type "ap system-profile <name of the profile> 
5. Type "mtu 1200". This will change the MTU to 1200 bytes. 

ap-group "python" 
virtual-ap "python123" 
ap-system-profile "python" 

ap system-profile "python" 
mtu 1200 


To verify the MTU value,SSH to the controller where the AP is terminated and type "show ap bss" command. Check the value under the MTU column. 

(static-master) #show ap bss 

fm (forward mode): T-Tunnel, S-Split, D-Decrypt Tunnel, B-Bridge (s-standard, p-persistent, b-backup, a-always) 

Aruba AP BSS Table 
bss ess port ip phy type ch/EIRP/max-EIRP cur-cl ap name in-t(s) tot-t mtu acl-state acl fm 
--- --- ---- -- --- ---- ---------------- ------ ------- ------- ----- --- --------- --- -- 
00:1a:1e:8f:a0:80 python123 N/A g-HT ap 11/34/20.5 0 00:1a:1e:c0:fa:08 0 2m:31s 1200 - 60 T 
00:1a:1e:8f:a0:90 python123 N/A a-HT ap 149+/35.5/20 0 00:1a:1e:c0:fa:08 0 2m:31s 1200 - 60 T 

Port information is available only on 6xx controller. 
Channel followed by "*" indicates channel selected due to unsupported configured channel. 
"Spectrum" followed by "^" indicates Local Spectrum Override in effect. 

Num APs:2 
Num Associations:0



Sep 10, 2014 03:09 PM

Hi J|K, Dirty flag is due to config message not making to AP. Config message size would have increased post-upgrade and wouldn't have made it due to fragmentation. Below article should help in understanding the case. Thanks -vijay

Aug 14, 2014 06:11 PM

Thanks for uploading the info - I've observed exactly the same problem and that trick resolved the dirty config issue.

Well recently I've faced a strange behavoir - The controller is upgraded from 6.3 to 6.4 - Out of 80 Aps 45 were shown down after controller successfully booted up on to newer IOS. 

Here I explain connectivity part:


AP -> SW -> BR-Router ->  DMVPN cloud - with IP-MTU 1400  -----  ->  HUB-R ->  SW - > Controller.


AP-default Profile was already having SAP MTU set to 1200 and all APs were working fine with old Controller IOS 6.3.

With 6.4 - within a Branch out of 4 APs 1 has come up succesfully rest all found in down state. After troubleshooting It's seen issue gets solved by setting up Tunnel-IP MTU to 1200 over BR-Router and then remaining all APs started coming up on network.


Would appreciate if you could highlight something on this? How come chaning IP MTU makes communication normal b/w AP and controller?