Wireless Access

Occasional Contributor II

TCP MSS adjust

I have checked the Web, Aruba documentation and this forum and there is no mention (at all) of TCP MSS adjustments. The reason to open this thread is to check whether anyone has had a look at this or whether this is something that gets sorted under the hood.


Recently troubleshooting a multi-vendor network I've noticed that for traffic connecting to the Aruba Controllers has the MTU Adjusted for all traffic that is tunneled between two Aruba Controllers.


Basically what I'm seeing is:

- Client sends TCP SYN with MSS=1460

- Server replies TCP SYNACK with MSS=986


Same server other vendor MSS stays 1460.


The traffic crosses a tunnel between 2 Aruba Controllers and there is no MTU defined and the Tunnel MTU is set to 1100 (based on a 'show interface tunnel x').


I'm wondering whether I'm seeing PMTUD at work - however my packet captures do not show any ICMP where the MTU is determined. Or is there a TCP MSS adjust/rewrite happening within the Aruba's ?


I'm hesitant on raising a TAC case - as it's not really a problem - it's more something that seems to be happening and we like better understand. Any ideas?

Occasional Contributor II

Re: TCP MSS adjust

Ok it seems I'll answering my own question :)


From what I'm seeing traffic from AP-> Controller which is GRE encapsulated does not copy the DF bit from the original IP header into the IP GRE IP header - which breaks PMTUD for the client. However closer inspection from Controller to AP the DF is copied in that IP Header.


So the PMTUD is only working in one direction and that explains why I on the client behind the AP side did not see the ICMP messages that lowered the TCP MSS.


So as a follow-up question - is it normal that the DF bit is only copied in the GRE IP header from Controller to AP but not the other way?

Guru Elite

Re: TCP MSS adjust

Traffic from the AP to the controller is encrypted and then decrypted at the controller.  Turn on Control Plane Security on the controller and then Turn on Decrypt Tunnel on the Virtual AP and see if that is still the case.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Occasional Contributor II

Re: TCP MSS adjust

I'll try that when I'm back in the office later this week and will post results as I believe it could be interesting for others to see as well.


The traffic from AP to controller being encrypted makes sense - however I would imagine this being the other way around as well or is the encryption only from AP->Controller and not Controller->AP? The difference I found is that the DF (if set) bit gets copied in the path Controller->AP but not the other way around.


I'll switch Control-Panel Security on/off as well as Decrypt Tunnel and see whether it makes a difference.


Thanks for the follow-up :)

Search Airheads
Showing results for 
Search instead for 
Did you mean: