In cases of hanging, freezing, slow, unresponsive internet connections the cause is usually unreasonably identified as "MTU/MRU issue" with several hastily proposed "magic cures" (usually invalid or inapplicable for the situation) like commands involving iptables
or ifconfig
, and other "clamp MTU to TSS" spells.
What I want to know is what exactly the MTU/MRU issue is, why it affects the connection speed and latency, and how it is cured (known and modern methods), since I'd like to knowledgeably approach the resolution to the issue, not magically.
This is a bit of a complicated Question, so I'll start with the basics. Forgive me if you know all this already.
MTU is the Maximum Transmission Unit, the largest packet of data that a computer interface will send. For Ethernet the default is 1500 Bytes. Ethernet frames typically are allowed to be up to 1522-1542 (depends on what you count) and the extra space is 'reserved' for header information.
Various connections may have different capabilities. It's pretty common to run across a link on the Internet that has an MTU that's slightly smaller than 1500. This is usually due to the link employing extra header information or using a medium other than 'standard' Ethernet (most of the Internet actually runs on ATM/SoNet connections). Normally traffic that encounters such a link is simply broken into multiple pieces and sent along.
Because this is common, and was at the time IP was invented, part of the ICMP protocol's responsibility was to communicate any problems with MTUs. If a packet for any reason couldn't be broken and forwarded, ICMP is used to communicate the problem back to the sending computer. The sending computer takes appropriate action, breaking the information into smaller chunks and everyone is happy. This whole process is handled behind the scenes. In a properly functioning network it is never necessary to muck with MTU settings.
The qualifier on that last sentence is the kicker. There are three common reasons the automated process breaks down:
ping
utility).So, why is is common: Lazy technicians/companies. It's almost universally 'easier' to handicap the connection with a tiny MTU than to fix one of the problems outlined above. As stated above nobody should every have to mess with MTU these days (the one exception I can think of being enabling Jumbo frames, but that's really not what we're discussing here). The correct cure in any case is to figure out the underlying problem and fix that; classic case of treat the sickness not the symptom.
How does MTU affect a connection? Chopping the data into tiny pieces means each piece will have a better chance of getting to the destination, especially across highly unreliable connections. Being smaller pieces however, there's more overhead per the data transmitted. This means the effective connection speed is decreased; substantially if the MTU is really small. Latency may be affected, though I would expect it to be minor, because of the extra processing and overhead of the header and fragmentation/reassembly process.
Update: - Regarding
--clamp-mss-to-pmtu
Personally I've never mucked about with MTU; I admit I'm a bit of a perfectionist and when presented with ugly hacks like this I always find the root of the problem and have been able to correct it. To that end the
iptables
option--clamp-mss-to-pmtu
is unfamiliar to me. Apparently it is extremely common, and likely very unwarranted in most situations, to use this hack. It is still a hack to compensate for one of the above problems. I quote from the Linux manpage for iptables(8):The relatively harsh language of the manpage should be an indication as to how much contempt is garnered by ISPs and Networks who do not follow the RFCs (and make no effort to try or compensate).
Speaking to the use of UDP in VPNs, this used to be most common to minimize the overhead of the VPN and allow the existing endpoints to manage the session information. There's no way for the VPN to know how the session should be handled, so that task is really best left to the applications that know.
Many modern VPN tunneling protocols are built on either lower levels (with even less overhead), such as GRE and L2TP; or tunneled at higher levels (usually for compatibility with restrictive firewalls or other reasons), such as SSTP or SSH. These will gradually replace UDP as a transport mechanism.
Update 2: - Diagnosing MTU/ICMP Problems
So you think you've got a MTU/ICMP issue and want to be sure. There are two basic steps to this process. The directions are for a Linux or BSD box, but can be adapted to just about any OS.
ping -c 2 -s 1472 -D google.com
.traceroute -F google.com 1472
. This will tell you which hop is broken. Note: it's pretty common for CPE to not respond to traceroute requests, so don't be alarmed if the first hop doesn't respond.On a side note: What ISP uses PPTP these days?! That's a blast from the antiquated and useless past. They should at least be using PPPoE; but simply authorizing the modem by MAC and Segment would be so much easier (easier for both the ISP and Customer).