MTU Troubleshooting on Cisco IOS

Hi Syed,

Is 1000 bytes the maximum? If so, it’s probably not related to MTU but something else.


MAx is 1500

I’m talking about the pings that go through :slight_smile: You could ping with a MTU of 1000 but anything higher doesn’t work?

Thats is Correct :slight_smile:

Hmm any chance you have an IP audit policy on one of your ASA interfaces?

Hi. Great explanations. Couple quick clarifications.

  1. You mention ‘The MSS value isn’t synchronized between hosts, it can be different for each direction’ - I thought this gets negotiated as a part of the 3 way handshake? Are you saying in your example above if say set “ip tcp adjust-mss 1360” on the f0/1 of R2 and then set “ip tcp adjust-mss 1460” on the f0/1 of R1 then it wouldnt negotatiate down to the lowest common MSS and hence break?

  2. Assuming I am using GRE over IPSEC with transport mode I looked at a recent customer network in which the tunnel interface was set to “IP MTU 1400” and it also had the corresponding command “ip tcp adjust-mss 1360” under the tunnel interface as well. The tunnel interface MTU was kept at default which was 17912. Seems redundant based upon some of the explanations above to set the MTU when setting the “ip tcp adjust-mss” command? Assume it is really one or the other like you mentioned above, but the adjust-mss would avoid fragmentation where the IP MTU would cause fragmentation so better to use the adjust-mss? What is the best practice ideal setting for the tunnel interface in this case as it relates to this and the appropriate size (ie is adjust-mss the best approach, but maybe we should make the byte size higher than 1360)?

  3. How does “MPLS MTU” compare to “IP MTU” on the interface level? Does it behave in the same fashion?

Many thanks.


Hi Rene, I’m confused. What is the difference between MTU and windows size? I hope my questions doesn’t estupit.

Hi Alberto,

It’s a good question, these are confusing topics. The window size is used by TCP between hosts to tell each other how many bytes to send. Take a look at this post:

I think that will help.


Hi Thomas,

  1. That’s right, the MSS can be different on each side. It’s not synchronized between hosts.

  2. It’s probably redundant if you use TCP traffic yes, adjusting the MSS will prevent fragmentation. What about other traffic like UDP? I would set both the MTU and adjus MSS on the interface

  3. MPLS MTU is similar to IP MTU, it’s for labeled packets. Each MPLS header is 4 bytes, normally you’ll have two MPLS headers…one for the transport label and one for the VPN label so that’s 8 bytes of overhead.


HI Rene,

what about fragmentation issue’s when dealing with nat interface, something to do with ip virtual interface seeing high number of fragmentations?. How do you notify or investigate if and what the mss/mtu needs to be changed to? thanks

Hi Adil,

When a NAT router receives fragmented packets then it might have to reassemble them so it can check L4 information that is required for translation. Once it is translated, it’s possible that the router has to fragment the packet again so it can be forwarded (if the MTU on one of its own interfaces is too small).

I would first try to figure our where your fragmented packets come from…you can do this with an access-list, make it match on fragments and then check which IP addresses send them.


Thank you Rene, Appreciated once again :slight_smile:

Hi Rene,

how about a gre tunnel? what should be the mtu size and mss? btw hope your well :slight_smile:

Hi Adil,

I’m doing good, hope you as well :slight_smile:

GRE encapsulation adds 4 bytes of additional overhead so the mtu and tcp mss will be 4 bytes smaller.

Besides GRE, there’s MPLS labels, IPSEC Tunnel/Transport/AH/ESP with all kinds of different values :slight_smile:


Hi Rene,

I abit confusing, If we set the Router interface MTU to 1400 bytes, and the host sending the packet more than 1400 bytes, the router will know the packet more than 1400 and start fragment it. But once fragment it, the packet will still able to reach to the destination right? Why it will cause the connection extremely slow or event some of the content not able to open at all?

And by increase the router MTU for backbone connected each other, will it have any benefit like improve the bandwidth or speed up the connection?

And both MTU between router and host connected must be match? It can be higher at Router and lower at Host?


Hi Davis,

If the packet is too large then yes, the router will fragment the packet and forward the fragments. Fragmentation however can be a bad idea since it will increase your CPU load. For this reason, some routers disable fragmentation which means your packet will be dropped instead.

On high bandwidth links, a higher MTU will increase your bandwidth. A good example are jumbo frames for ethernet which allow 9000 bytes of payload. There are some benchmarks online if you want to see the difference.

The MTU doesn’t have to be match, it can be different depending on the interface you are using.


Hi Rene,

Example if the PPPOE using, there’s additional 8 bytes will added on top of the 1500 bytes (1460+20+20) which is 1508 bytes, so standard Ethernet MTU router interface is 1500 can be received, so in this case, the router will start fragment it to 2 or more segment in order to reach the destination? Am i right?

Same to GRE Tunnel 1500 Bytes (1460+20+20) + 24 Bytes which is 1524 Bytes, again packet will start fragment?

Above scenario, if we don’t specify the lower IP MTU to 1492 for PPPOE and 1476 for Gre Tunnel in the router interface, then it will still fragment when the packet more than 1500 bytes right? Then why we need to specify the IP MTU to tell the router when to fragment the packet since it will still fragment when more than 1500 bytes?


Hi Davis,

The hardware MTU of the interface is the maximum packet length that the interface can support. If you send something that the interface MTU can’t handle, it will be dropped. It won’t be fragmented.

The IP MTU determines when to fragment an IP packet. Typically we configure it the same as the interface MTU so that it does do fragmentation when required.

The router will fragment these packets but only if your IP MTU setting matches the interface MTU. Otherwise it will not fragment it, try to forward it and then it will be dropped.


Hi Rene,

if the medium is capable to carry MTU of 1500 but we configure the interface to be less than that such as you used in the example to be 1400 but you worked out by adjusting the MSS and got it working with no issues. My question is there any impact for that vs using full capacity of the medium ? And what are the circumstances that we use such lower value of MTU ? THX

There are several circumstances where it would be best to set the MTU to be lower than what the medium is capable of supporting. Your goal is still to use as much as possible, but sometimes it is up to the administrator to adjust for how the network is setup. An example of this would be IPSEC VPNs. In both Tunnel and Transport modes of IPSEC, additional headers are added on to the packet. If you don’t account for these, it is possible that the router would have to start fragmenting the packets. Fragmenting in a VPN scenario can really spike the CPU utilization of the router which will ultimately reduce your throughput capability.

Another example would be tunneling: like GRE or DMVPN. Each of these technologies add overhead to packets, so the MTU should be adjusted as to avoid fragmentation.