# [solved] cisco VPN client IPTABLES MTU/MSS problem

## Dagger

Hi,

I've got a Cisco VPN client installed on my firewall/router machine. Cisco interface has MTU 1356.

I've got a rules in place for NAT, forwards. Most things are working fine except scp, ftp, and few other. Generally problem lies in MTU/MSS. I have a rules which SHOULD adjust it, but somehow it doesnt work.

configuration looks like:

10.0.1.12 ---> 10.0.0.1 (firewal) ~~~~~~~(VPN)~~~~~~~ X.X.X.X (cisco router) ----> 10.150.64.17

Some configs:

```

$IPTABLES -A FORWARD -o $VPN_IF -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

```

when I start transfering files over SSH it works for a moment and than hangs.

tcpdump:

```

13:30:15.827225 IP 10.0.1.12.37451 > 10.150.64.17.22: . 6413:10325(3912) ack 3000 win 107 <nop,nop,timestamp 170166198 154576774>

13:30:15.829730 IP 10.150.64.17.22 > 10.0.1.12.37451: . ack 6413 win 169 <nop,nop,timestamp 154576774 170166184>

13:30:15.829748 IP 10.0.1.12.37451 > 10.150.64.17.22: . 10325:11629(1304) ack 3000 win 107 <nop,nop,timestamp 170166201 154576774>

13:30:15.829752 IP 10.0.1.12.37451 > 10.150.64.17.22: P 11629:11949(320) ack 3000 win 107 <nop,nop,timestamp 170166201 154576774>

13:30:15.841386 IP 10.150.64.17.22 > 10.0.1.12.37451: . ack 7717 win 189 <nop,nop,timestamp 154576777 170166198>

13:30:15.841411 IP 10.0.1.12.37451 > 10.150.64.17.22: . 11949:14557(2608) ack 3000 win 107 <nop,nop,timestamp 170166213 154576777>

13:30:15.844319 IP 10.150.64.17.22 > 10.0.1.12.37451: . ack 10325 win 230 <nop,nop,timestamp 154576777 170166198>

13:30:15.844330 IP 10.0.1.12.37451 > 10.150.64.17.22: . 14557:18469(3912) ack 3000 win 107 <nop,nop,timestamp 170166216 154576777>

13:30:15.845032 IP 10.150.64.17.22 > 10.0.1.12.37451: . ack 11629 win 250 <nop,nop,timestamp 154576778 170166201>

13:30:15.845041 IP 10.0.1.12.37451 > 10.150.64.17.22: . 18469:21077(2608) ack 3000 win 107 <nop,nop,timestamp 170166216 154576778>

13:30:16.061394 IP 10.0.1.12.37451 > 10.150.64.17.22: P 11629:11949(320) ack 3000 win 107 <nop,nop,timestamp 170166433 154576778>

13:30:16.495271 IP 10.0.1.12.37451 > 10.150.64.17.22: P 11629:11949(320) ack 3000 win 107 <nop,nop,timestamp 170166867 154576778>

13:30:17.363267 IP 10.0.1.12.37451 > 10.150.64.17.22: P 11629:11949(320) ack 3000 win 107 <nop,nop,timestamp 170167735 154576778>

13:30:19.099324 IP 10.0.1.12.37451 > 10.150.64.17.22: P 11629:11949(320) ack 3000 win 107 <nop,nop,timestamp 170169471 154576778>

13:30:22.571268 IP 10.0.1.12.37451 > 10.150.64.17.22: P 11629:11949(320) ack 3000 win 107 <nop,nop,timestamp 170172943 154576778>

13:30:29.515295 IP 10.0.1.12.37451 > 10.150.64.17.22: P 11629:11949(320) ack 3000 win 107 <nop,nop,timestamp 170179887 154576778>

13:30:43.403294 IP 10.0.1.12.37451 > 10.150.64.17.22: P 11629:11949(320) ack 3000 win 107 <nop,nop,timestamp 170193775 154576778>

13:31:11.179272 IP 10.0.1.12.37451 > 10.150.64.17.22: P 11629:11949(320) ack 3000 win 107 <nop,nop,timestamp 170221551 154576778>

```

some other tcpdump logs:

```

13:28:09.584730 IP 10.0.1.12.46180 > 10.150.64.17.22: P 2565:2597(32) ack 3560 win 121 <nop,nop,timestamp 170039956 154545206>

13:28:09.584770 IP 10.0.1.12.46180 > 10.150.64.17.22: F 2597:2597(0) ack 3560 win 121 <nop,nop,timestamp 170039956 154545206>

13:28:09.595166 IP 10.150.64.17.22 > 10.0.1.12.46180: . ack 2565 win 108 <nop,nop,timestamp 154545209 170039956,nop,nop,sack 1 {2636613323:2636613324}>

13:28:09.595260 IP 10.150.64.17.22 > 10.0.1.12.46180: . ack 2598 win 108 <nop,nop,timestamp 154545209 170039956>

13:28:09.595883 IP 10.0.1.12.35256 > 10.150.64.18.22: S 1270854249:1270854249(0) win 5840 <mss 1460,sackOK,timestamp 170039967 0,nop,wscale 7>

13:28:09.596401 IP 10.150.64.17.22 > 10.0.1.12.46180: F 3560:3560(0) ack 2598 win 108 <nop,nop,timestamp 154545209 170039956>

13:28:09.596411 IP 10.0.1.12.46180 > 10.150.64.17.22: . ack 3561 win 121 <nop,nop,timestamp 170039968 154545209>

13:28:09.605819 IP 10.150.64.18.22 > 10.0.1.12.35256: S 2253632500:2253632500(0) ack 1270854250 win 5792 <mss 1380,sackOK,timestamp 153827888 170039967,nop,wscale 7>

```

Any help would be appreciated.

ta

----------

## Hu

The manpage says that TCPMSS is only valid in the mangle table.  The command you showed suggests that you are adding it to the filter table.  Is your rule actually in the mangle table?  Do the traffic counters indicate that it is being matched?

----------

## Dagger

TCPMSS is valid in mangle and forward tables

----------

## Dagger

solved the problem by manually specifying MSS even below --clamp-mss-to-pmtu (which would be reduce it to 1316) to 1300

```

$IPTABLES -A FORWARD -o $VPN_IF -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1300

```

bloody cisco...

----------

