Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

MTU / ICMP / Firewall issues? in attempt to solve hung connections (long)

156 views
Skip to first unread message

Philip Herlihy

unread,
May 19, 2009, 4:32:17 PM5/19/09
to
I'm trying to get to the bottom of some unrelated (?) connectivity
issues, and I've started wondering/googling MTU and ICMP issues.

In one situation I have problems accessing an XP machine using VNC from
my XP machine. I have a "rule" on the firewall/router which diverts
the relevant port to the target machine (wireless connection).
Sometimes it's so slow as to be unusable, with the screen remaining
half-drawn indefinitely. I discovered recently that if I VNC to another
machine (win2k) within the office (cable connection) I can then VNC from
there to the target machine (still wireless!) and get a perfectly usable
connection.

In the same office, one XP PC seems to have persistent problems
accessing the network via its network adapter - despite trying two
different cards, one USB adapter and two different wireless access
points! Always slow on that machine, often unusably so, while others
nearby are fine.

In another office I can use VNC successfully at the beginning and end of
the day, but not around the middle of the day (when, presumably, the
network is more heavily loaded). Targets are XP.

I've tried a lot of different tweaks over many months. This recent
discovery that I can get a good VNC connection in two jumps has given me
new hope!

I've been researching MTU issues as a possible fix.

As I understand it, MTU (Maximum Transmission Unit) describes the size
of the largest packet to (be expected to) get through the network
without being fragmented. Different types of network (e.g. dial-up)
work best with different sizes of MTU. The default (if there is one) is
1500, with other sizes down to 1400 being suggested for different
situations. Netgear suggest trying 1400 to "solve most problems":
http://kb.netgear.com/app/answers/detail/a_id/1153

This article describes an empirical way of checking what MTU works best
in a given situation:
http://www.dslreports.com/faq/5793

Now, in the situation I'm most concerned about, I have my machine, my
router (on which I can change the MTU at will), the office router
(ditto), two wireless access points (neither have an MTU setting) and
the destination machine(s). Changing the MTU on the end machines will
involve a registry hack after identifying the interface:
http://help.expedient.com/broadband/mtu.shtml
Am I right in thinking that if I lower the MTU on any one of them, it'll
be effective across the entire connection? Which one should I change first?

I've also remembered a situation I encountered some years ago when a
firewall was found to be blocking ICMP packets. For anyone following
this, ICMP is a collection (as I understand it) of "control" protocols
which can be necessary for a TCP connection to "tune" itself. See:
http://technet.microsoft.com/en-us/library/cc758065(WS.10).aspx
I found (can't remember the details) that allowing ICMP through a
firewall unblocked that particular jam. See:
http://www.dslreports.com/faq/2520

Is this likely to be relevant here? I could do with someone who
actually knows more than I can find on Google to share some experience!

Meanwhile, I've done some experiments. I tried setting the MTU on the
office router to 1400, but it soon emerged that people were finding web
access slow at best. Setting it back to 1500 fixed that. During the
1400 period, I ran some ping tests (ping -f -l [packet size] [target]).
Under 1400 - four clean responses. Packet size 1500 - error "packet
needs to be fragmented but DF set". In between: time out. (is that weird?)

I haven't yet experimented on my local machine. I'm considering
fiddling with the firewall: see:
http://support.microsoft.com/kb/875357

Would be glad of some guidance first!

Phil, London

Philip Herlihy

unread,
May 19, 2009, 4:49:43 PM5/19/09
to

If anyone's following this, I've just found a useful reference on ICMP
Type 3:
http://www.networksorcery.com/enp/protocol/icmp/msg3.htm
... and one on PathMTU Discovery:
http://www.znep.com/~marcs/mtu/
... which is what I was thinking of.

Phil

Philip Herlihy

unread,
May 19, 2009, 4:52:53 PM5/19/09
to


And one more useful reference, on the security implications:
http://www.spirit.com/Network/net0700.html

Phil

John Wunderlich

unread,
May 19, 2009, 11:23:56 PM5/19/09
to
Philip Herlihy <thiswillb...@you.com> wrote in
news:mHEQl.95177$mS6....@newsfe27.ams2:

MTU is the maximum packet size that can be sent as one packet without
breaking the packet up into smaller packets. This size includes not
only content but headers as well. This is why it is often a problem
with VPN and DSL -- because both DSL (PPPoE) and VPN add extra header
length. Symptoms agree with what you're seeing.

Forget about tweaking the MTU on any Routing device. If MTU is a
problem, it's because the originating device (ie your computer) is
generating packets that are too big overall and force a routing
device to break up the packets which often lead to errors and failed
transmission. You must adjust the MTU on the originating computer.
When Cisco install its VPN client, it sets the MTU to 1300 on the
local computer. This is extremely conservative but I doubt that
Cisco gets many complaints.

You are right, a registry tweak is needed to set MTU on a Windows XP
machine, but there are progams out there that you can use to sidestep
manual registry editing. One of them is "DrTCP". (Do not use DrTCP
with Vista).

<http://www.dslreports.com/drtcp>
<http://www.dslreports.com/faq/578>

HTH,
John

Philip Herlihy

unread,
May 20, 2009, 6:52:43 AM5/20/09
to


Thanks, John - I'll do some experiments on machines at both ends.

Phil

0 new messages