Solved sysctl MTU discovery drops internet speed

rafael_grether

rafael_grether

Hi guys,

I recently made some changes to sysctl.conf, and I noticed that the internet speed dropped drastically.

Anyone who downloaded a file from my apache server had a speed of around 4 Mb/s. After changes to sysctl, the speed dropped to 25 kb/s.

So I isolated each sysctl settings, until I found what is causing this drop in speed.

The culprit was net.inet.tcp.path_mtu_discovery=0

I understand that some network hardening settings can cause a small performance drop in speed, but a drop from 4 Mb/s to 25 Kb/s is too big.

Is there any explanation for this sysctl causing this drastic drop in speed?

Thanks,
Rafael Grether
 

Path MTU Discovery - Wikipedia

en.wikipedia.org en.wikipedia.org

On your firewall do not block "ICMP Type 3,4,11"

When you can't determinate the maximum MTU the MSS is set to it's default of 536 or continue to send larger packets which will all get fragmented and when the fragment reassembly buffer fills all fragments will start to drop which will decrease the speed. It's better to not to disable the PMTU and if you experience fragments due to someone blocking ICMP type3 then you can enable pmtu blackhole detection which will try to discover if there's ICMP block on the line and reduce the MSS to 1200 or whatever net.inet.tcp.pmtud_blackhole_mss is set to.

More info:

tcp(4)

man.freebsd.org man.freebsd.org

It's also very common when there's VPN encapsulation and when there is incorrect MTU on the gre interface the VPN speed drops very heavy. Here's a very good example how all this work:

Resolve IPv4 Fragmentation, MTU, MSS, and PMTUD Issues with GRE and IPsec

This document describes how IPv4 Fragmentation and Path Maximum Transmission Unit Discovery (PMTUD) work.
www.cisco.com
 
You must log in or register to reply here.
Back
Top