1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Cisco PIX Firewall MTU Problem

Discussion in 'Other Cisco Equipment' started by david803sc, Nov 9, 2007.

  1. david803sc

    david803sc LI Guru Member

    my ISP sends all internet traffic through a PIX firewall everything on the internal network is 1500 MTU when connecting a PC to the WAN connection on the firewall they get an MTU of 1500 but traffic going through the firewall goes down to an MTU of 1420, they are not sure why this is happening, everything on this side of the firewall is fiber, we are positive the 1420 MTU is coming from the firewall, anyone with an idea of why it is requiring an MTU of 1420?

    Thanks,

    David
     
  2. ifican

    ifican Network Guru Member

    I think you might have a slight misunderstanding. If the configuration shows an mtu setting of 1500 that simply means the pix will accept frames of up to 1500 bytes. Your standard frames will vary in size depending on the application, if you watch traffic traversing the pix you will see the MTU size vary.
     
  3. Toxic

    Toxic Administrator Staff Member

    does mtu change if packet loss occurs? just thinking perhaps an Ethernet cable is affecting the mtu.
     
  4. david803sc

    david803sc LI Guru Member

    they have a couple of PIX firewalls, they checked all their routers, PC's and other equipment and everything was set to 1500, all LAN to LAN traffic is 1500 and LAN to WAN traffic with the firewall is bypassed is showing 1500, but when traffic goes through any of their PIX firewalls LAN To WAN it is setting the MTU down to 1420, send and receive, tey are not sure why, I am just trying to find some ideas to help them. if it is possible we want to get all traffic to be able to use an MTU of 1500.
     
  5. Toxic

    Toxic Administrator Staff Member

    are they running any ipsec/pptp vpns at all that mtu size of 1420 is usually linked to vpns
     
  6. ifican

    ifican Network Guru Member

    I still dont think im following here. What tools are you using to determing that the pix is only forwarding frames of 1420? So if you send a frame sized at 1460 from one side to the other the pix will drop it? It does not have the ability to resize a packet, it can fragment one like most devices but not resize.
     
  7. david803sc

    david803sc LI Guru Member

    we used a TCP analyzer tool on the web we testes LAN clients bypassing the firewall and saw the 1500, we tested trough the firewall and get 1420, we testes directly to the WAN port and got 1500, the company checked all their routers and network hardware in the management consoles and they were all set to 1500, the firewall is managed by another company and they do not have access to them physically, I did some pings from the LAN side behind the firewall checking for fragmentation and I didn't fragment packets until hit something like 1474. Here are the tools we are using to test the MTU through the firewall to the internet:

    http://www.dslreports.com/tweaks

    Also the speedguide.net TCP Analyzer, which gives these results:

    « SpeedGuide.net TCP Analyzer Results »
    Tested on: 11.11.2007 08:58
    IP address: 206.74.xxx.xxx

    TCP options string: 02040564010303000101080a608b37550000000004020000
    MSS: 1380
    MTU: 1420
    TCP Window: 65535 (NOT multiple of MSS)
    RWIN Scaling: 0
    Unscaled RWIN : 65535
    Reccomended RWINs: 63480, 126960, 253920, 507840
    BDP limit (200ms): 2621kbps (328KBytes/s)
    BDP limit (500ms): 1049kbps (131KBytes/s)
    MTU Discovery: ON
    TTL: 44
    Timestamps: ON
    SACKs: ON
    IP ToS: 00000000 (0)
     
  8. ifican

    ifican Network Guru Member

    Run the "capture" command on both interfaces of the pix and see what it is seeing as the MTU size it receives on the incomming interface and the exiting interface. You might be surprised at what is actually taking place vs what dsl reports is reporting. You could also you a packet sniffer (what the capture command is on the pix) on your machine to see what size MTU your machine is setting each send too.

    Part of me is still wondering though what the overall concern is. I have in the past played with setting the MTU down to 500 without affecting the feel or speed of the wan link i was on at the time.
     
  9. david803sc

    david803sc LI Guru Member

    Well for one, 500 would not support xbox live which I play everyday it requires a minimum connection MTU of 1390 I believe, I have been having problems with some websites and connections, it was something I noticed in my tests, previously when I had DSL I had an MTU of 1492 and before that with cable I had 1500, since I am paying an ISP $65 a month for service I want the best possible service, and it concerns me they are using an odd MTU when no other ISP that I know of does. I asked them about it, and they weren't even aware of it, they are testing and trying to figure it out. I asked them if they could tell me why it was 1420 and they could not even answer that question, in the end if they cannot make it 1500, ok but I expect at minimum an answer or explanation as to why? I don't think it is an unreasonable question.
     
  10. ifican

    ifican Network Guru Member

    Sorry about the delay here have not been around this board much in the last couple of months, with changing jobs in October i dont have as much time as i used to, to do some of the things i like. No your question is not unreasonable and any good network person should beable to tell you why, without looking at the config i cant tell you if it is a setting or something perhaps a bug on the pix that is causing it.
     

Share This Page