We start with a payload length of 1408. As you can see we get the expected response.<\/p>\n
C:\\Users\\rick>ping 192.168.1.10 -f -l 1408 -n 2\r\nPinging 192.168.1.10 with 1464 bytes of data:\r\nReply from 192.168.1.10: bytes=64 (sent 1464) time=39ms TTL=45\r\nReply from 192.168.1.10: bytes=64 (sent 1464) time=39ms TTL=45<\/pre>\nPing statistics for 192.168.1.10: \nPackets: Sent = 2, Received = 2, Lost = 0 (0% loss),<\/p>\n
We next up our payload length to 1409 bytes. However this time we can see that the packet is to large and requires fragmentation.<\/p>\n
C:\\Users\\rick>ping 192.168.1.10 -f -l 1409 -n 2\r\nPinging 192.168.1.10 with 1465 bytes of data:\r\nPacket needs to be fragmented but DF set.\r\nPacket needs to be fragmented but DF set.<\/pre>\nPing statistics for 192.168.1.10: \nPackets: Sent = 2, Received = 0, Lost = 2 (100% loss),<\/p>\n
Based on these tests we take the maximum payload length (which is 1408 bytes) and subtract a further 12 bytes (because of TCP headers), leaving us with our optimal MSS.<\/p>\n
MAXIMUM PAYLOAD LENGTH – 12 BYTES = OPTIMAL MSS<\/strong><\/p>\nNote<\/em>\u00a0<\/strong>: Based our optimal MSS value, the additional headers that would contribute to the remainder of the packet are,<\/p>\nMAXIMUM PAYLOAD (1408bytes) + IP HEADER (20bytes) + ICMP HEADER (8 bytes) + IPSEC HEADER (64 bytes) = 1500 MTU.<\/strong><\/p>\nThe interesting point here is that the IPSEC header size can change based on the ciphers used.<\/p>\n
Note<\/strong><\/em> : The Cisco ASA clamps the MSS (of the inital SYN) in each direction.<\/p>\n<\/span>MSS Blocking<\/strong><\/span><\/h3>\nCisco ASA v7.0 and later introduced a feature that blocked traffic containing an MSS higher that that announced by its peer (within the 3 way handshake). Though this is meant to limit potential buffer overruns etc as some servers may not always adhere to this behaviour you may find instances where this feature needs to be disabled.<\/p>\n
To confirm whether this feature is blocking packets and needs to be disabled, run\u00a0the command\u00a0‘show asp drop’. Before and after any of your tests.<\/p>\n
<\/span>PMTUD<\/strong><\/span><\/h3>\nTo ensure that PMTUD can operate the ICMP message ‘Fragmentation needed and DF set’ is permitted to all servers at both sites from any location. \nThough this isn’t required within our scenario due to MSS clamping it is still considered good practice should it ever be required within the future.<\/p>\n
<\/span>Selective ACK (SACK)<\/strong><\/span><\/h3>\nOne issue with TCP is how the receiver acknowledges what packets they have received within the sliding window.<\/p>\n
Consider the scenario where a host has sent you 10,000 bytes. However bytes 2001-4000 were lost in transit. Normally the ACK sent would say, “Ive got everything up to 2000 bytes” and the sender would then resend 2001-10000. \nSelectiveACK allows the receiver to say, “I got 1-2000 and 4001-10000”. The host would then only resend bytes 2001-4000.<\/p>\n
<\/span>Nagle Algorithm<\/strong><\/span><\/h3>\nThe Nagle algorithm is a method to alleviate network overhead by combining a number of smaller packets into one. Since TCP\/IP requires a 40 byte header (20 bytes TCP, 20 bytes IP), a packet that contains a 1 byte data payload can result in the packet being 41 bytes in length.<\/p>\n
Though this can greatly improve efficiency on a TCP\/IP network, this feature doesn’t work well with applications that require small packets to operate correctly. Such as telnet, where each keystroke is sent to the server. Because of this Nagle is normally best used in situations where large data transfers are required rather then interactive based application such as RDP or SSH.<\/p>\n
<\/span>Receive Window Tuning<\/strong><\/span><\/h3>\nThe Receive Window (RWIN) is advertised by the receiver and corresponds to the amount of bytes within the receive buffer. Also known as the Window size, the RWIN ensures that the receiver does not receive more data then it is able to process. \nThe sender is able to send data up to the window size without requiring an acknowledgment back. At any point the Window size can be adjusted by the receiver ; this acts as a form of flow control for the receive buffer.<\/p>\n
Why do we need to tune the Receive Window (RWIN) ?<\/p>\n
Well if the RWIN is too small then it can limit the throughput whilst the sender is awaiting for receiver acknowledge the traffic. If it is too big then the sender will have to resend the entire RWIN everytime packet loss occurs (however SACK can relieve such problems to a certain extent).<\/p>\n
Windows 7 and 2008 include a feature called “AutoTuning”. This automatically calculates and adjusts the RWIN based on what it believes to be the optimal size. For all other operating systems the RWIN size can be calculated and manually tuned, if required. This is done using the following formula,<\/p>\n
BANDWIDTH(kbps) \/ 8 * AVERAGE LATENCY(Millisec) = RWIN SIZE(Bytes)<\/strong><\/p>\nThe RWIN size is then rounded off to a multiple of the Maximum Segment Size (MSS).<\/p>\n
Note:<\/em> In most instances your RWIN size should calculated to 64k or smaller. However should the it be larger then 64k Windows Scaling (WS) can be set. The Window Scale value is advertised within the TCP header and is a value that acts as a multiplier to the Receive Window size.<\/p>\n<\/span>Summary<\/strong><\/span><\/h2>\nTaking onboard the above and keeping inline with our case example the following changes were then implemented,<\/p>\n
1. The optimal MSS value was calculated and MSS clamping was set on the UK gateway. As this was a Cisco ASA the following command was used,<\/p>\n
ciscoasa(config)# sysopt connection tcp-mss maximum <MSS IN BYTES><\/pre>\n2. MSS blocking was disabled on the UK gateway. Again as this was a Cisco ASA the following commands were used,<\/p>\n
ciscoasa(config)# access-list MSS-EXCEEDED-ACL permit tcp any any<\/pre>\nciscoasa(config)# class-map MSS-EXCEEDED-MAP \nciscoasa(config-cmap)# match access-list MSS-EXCEEDED-ACL \nciscoasa(config-cmap)# exit<\/p>\n
ciscoasa(config)# tcp-map mss-map \nciscoasa(config-tcp-map)# exceed-mss allow \nciscoasa(config-tcp-map)# exit<\/p>\n
ciscoasa(config)# policy-map global_policy \nciscoasa(config-pmap)# class MSS-EXCEEDED-MAP \nciscoasa(config-pmap-c)# set connection advanced-options mss-map \nciscoasa(config-pmap-c)# end<\/p>\n
3. As the VPN was mainly used for data transfers Nagle was enabled on all of the servers on both sides of the VPN. \n4. Selective ACK (SACK) was enabled on all servers on both sides on the VPN. \n5. The access control policies on both VPN gateways were updated to permit the ICMP Type 3 Code 4 “Fragmentation needed and DF set” inbound to all servers from any source address. \n6. The RWIN calculated and updated on all servers not<\/span> running Windows 2008.<\/p>\n","protected":false},"excerpt":{"rendered":"How can I optimize the throughput of a VPN across a WAN based link ? I was recently asked this question the other day by a client, after seeing the results (in which the transfer speeds were nearly tripled) I thought it would make an interesting article. Background My client had a VPN (Site to … Read more<\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[13],"tags":[],"yoast_head":"\nOptimize Throughput of a VPN across a WAN-based Link - Fir3net<\/title>\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\t \n\t \n\t \n