I recently deployed a couple of wireless access points to two sites that connect to our main office over IPSEC VPN. After a recent firmware update to the wireless controller both access points got stuck in a provisioning loop and appeared to have difficulty communicating with the controller. Both AP’s repeatedly disconnected due to a “heartbeats lost” error.
Connectivity between the main office and the remote sites appeared fine. Both access points were reachable via ping and ssh. I set up a packet debug on both sites’ firewalls and saw traffic going back and forth between the access points and the controller, and both access points appeared on the controller status window, alternating between “Provisioning” and “Disconnected”.
Needless to say I was slightly baffled.
I opened a ticket with the wireless vendor and (very quickly) received an answer. The MTU for CAPWAP traffic between the access points and the controller is hard set by the controller to 1500*. With these sites connected via IPSEC, that was going to cause some fragmentation due to the overhead that IPSEC was going to add onto the traffic going between sites.
I needed to lower the MTU size on the controller, but to what value? IPSEC doesn’t seem to have a ‘fixed’ header size due to the different encryption options that can be used. So how do I find out exactly how much our particular IPSEC configuration is adding?
ping -f
The -f flag from a Windows command prompt prevents an ICMP packet from being fragmented. This, combined with the -l flag allows you to set the size of the ICMP packet being sent.
So, assuming a standard ethernet MTU of 1500, and accounting for an 8-byte ICMP header, and 20-byte IP header, I should be able to send an ICMP packet sized to 1472 bytes, but 1473 should be too large:
C:\Users\netcanuck>ping 172.16.32.1 -f -l 1472
Pinging 172.16.32.1 with 1472 bytes of data:
Reply from 172.16.32.1: bytes=1472 time=3ms TTL=251
Reply from 172.16.32.1: bytes=1472 time=4ms TTL=251
Reply from 172.16.32.1: bytes=1472 time=4ms TTL=251
Reply from 172.16.32.1: bytes=1472 time=3ms TTL=251
C:\Users\netcanuck>ping 172.16.32.1 -f -l 1473
Pinging 172.16.32.1 with 1473 bytes of data:
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.
Excellent! So now to test across our IPSEC tunnel:
C:\Users\netcanuck>ping 172.16.68.1 -f -l 1472
Pinging 172.16.68.1 with 1472 bytes of data:
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.
Now this makes sense. The MTU size does not account for the IPSEC overhead.
After some testing with different packet sizes I hit on the magic number: 1384 bytes. At 1385 the packets were again rejected as being too large. So some quick math:
ICMP payload: 1384 bytes
ICMP header: 8 bytes
IP header: 20 bytes
Subtotal: 1412 bytes
This leaves 88 bytes as the IPSEC header. I should be able to set the MTU size on the controller to 1412 and the access points should resume functioning normally.
I did in fact set the MTU to 1400 – I like nice, round numbers – and sure enough both access points resumed proper communication with the controller.
What I Learned Today
Sometimes the simple tools are easy to overlook. Using a standard Windows command prompt and ping using the -f flag is a quick and easy way to diagnose MTU and fragmentation issues across a VPN tunnel.
* It appears from the support documentation for this particular wireless vendor that the MTU size should be 1450 by default which should take into account at least some overhead and explains why these access points were working fine until now. The firmware update seems to have changed this to 1500.
Do you mind if I quote a couple of your articles as long as I provide credit and sources back to your blog? My blog is in the very same area of interest as yours and my users would certainly benefit from a lot of the information you provide here. Please let me know if this okay with you. Thanks a lot!
Absolutely! Thanks for reading.
This is exactly what I need as I am having issues with CAPWAP comms over a VPN tunnel. Would you provide where exactly in the WLC GUI you can change the MTU? Thanks.
Hi, the controller in this situation was a Ruckus ZD3000 and the MTU option is under Configure –> Access Points –> Access Point Policies. Here there is an option for “Tunnel MTU” which controls the MTU size between the controller and the APs.
For Cisco Controllers – I presently don’t have one in a lab that I could access to find that information. However the following resources may be of assistance for you:
http://mrncciew.com/2013/04/07/configuring-tcp-mss/
http://revolutionwifi.blogspot.ca/2010/07/fragmentation-in-controller_02.html
It appears this is not something you can set via the WLC GUI but must be done from the CLI.
I hope that helps, and thanks for reading!
NetworkCanuck
Hi,
Could you explain, how didi you count this IPSec overhead bytes.
Say if i am sending 46Byte clear text msg from simulator then what would be the exact msg size with ipsec overhead.
Thanks,
Santosh
Hi Santosh,
Using ping -f as described in the post you can test how much IPSEC overhead you have by incrementing the size of the frame until it gets fragmented.
Rob
Hello, I have simliar issue where AP is behind the firewall and WLC is at the hub side. We have ipsec tunnel between router and firewall.AP is not getting registered to WLC . I did change MTU at the WLC to 1400. My WLC is Ruckus only. can you please advise me any other thing here? its been 4 days since i am working on this..
Hello, I have similar issue where AP is behind the firewall and WLC is at the hub side. We have ipsec tunnel between router and firewall.AP is not getting registered to WLC . I did change MTU at the WLC to 1400. My WLC is Ruckus only. can you please advise me any other thing here? its been 4 days since i am working on this..Thnkx for inputs!
Prashant,
I’ve had success lowering the MTU to as low as 1200. I would recommend trying lower MTU settings until you find the issue is resolved.
Cheers,
Rob
On a unix machine (a Mac running 10.9.5 in my case) you can use -D for don’t fragment and -s for the size of the packet.
Ben
Good stuff and clearly explained article – thanks bud
I think we have the same problem, but with a netgear WC 7600 controller.
Has anybody find a sollution to set packetsize on the netgear?
regards,
Laurens