MTU is reduced to 576 when VS is attached

Question

Hi,&nbsp;
I am a newcomer to BIG-IP. I have a LTM deployed in L2 mode by putting two untagged interface to one VLAN group.&nbsp;
Without attaching any VS, everything is normal and the MTU is 1500, from client side packet capture.&nbsp;
Once I attached a VS for redirecting HTTP, I can see from Wireshark on client machine that all packets from LTM is limited to MTU 576 (with Ethernet header, the packet size is 590).&nbsp;
I suspected the problem is from the pool members. So I shutdown all pool members and added fail open logic by detecting the active member (thanks to Aaron for answering my question posted on the iRules forum last night).&nbsp;
After this change, MTU from client side packet capture is still 576. I used the default HTTP profile in the VS.&nbsp;
I am using LTM VE BIG--IP-10.1.0.3341.1084.&nbsp;
Is this a known issue or I did something wrong?&nbsp;
Thanks a lot,&nbsp;
Peter&nbsp;

what_lies_bene1 · Answer

Assuming you've checked the MTU for the VLAN group, the best way to determine the source of the problem would be to do a tcpdump, using the client IP as a filter (assuming no SNAT is being used). Something like this: tcpdump -i any -nn -vv -s0 -X host x.x.x.x. Perhaps the Pool Member's IP MSS is set very low for some reason.

peter_125719 · Answer

Yes. I checked the MTU of the VLANs in the VLAN group. They are set to 1500. There is nothing special from the virtual server and the pool. The virtual server is actually a web proxy. So if I fail open with no active members available, the client can still visit the original web server. Standard HTTP profile is used for the virtual server. 
&nbsp;  
&nbsp; I did run traffic capture on BIG-IP on both internal and external interfaces for the fail open case. In the SYN-ACK from server side to LTM external, MSS is 1430. But in the same packet forwarded from LTM to client, MSS is set to be 1460 (1460 + 20 + 20 = 1500), which is perfectly consistent with the MTU in the internal VLAN interface. But the actual maximum packet size on the internal interface  is 612, which includes the 22 extra bytes LTM padding (590 + 22 = 612). While on the external interface size, the server side maximum packet size is 1506: 
&nbsp;      1430 (MSS) + 20 (TCP header) + 20 (IP header) + 14 (Ethernet header) + 22 (LTM padding with VS name)= 1506 
&nbsp;  
&nbsp; Thanks, 
&nbsp;  
&nbsp; Peter

what_lies_bene1 · Answer

OK, so how are you determining the maximum packet size on the internal VLAN? Is this simply the largest packet size you've seen in your packet capture? Have you confirmed the client MSS and layer 2 MTU settings?

hooleylist · Answer

I would contact your F5 or partner SE and ask for an evaluation key for BIG-IP VE.  This will support any currently supported LTM version and not be subject to older bugs and some technical restrictions.  I'm not certain it will fix this specific MTU issue, but I don't think it's worth spending too much time troubleshooting with the 10.1 trial VE. 
&nbsp;  
&nbsp; Aaron

peter_125719 · Answer

Got a point, Aaron. I do have a 11.x trial license. I will set it up and update this thread later. 
&nbsp;  
&nbsp; Thanks, 
&nbsp;  
&nbsp; Peter

Forum Discussion

MTU is reduced to 576 when VS is attached

7 Replies

Recent Discussions

F5Access | MacOS Sonoma

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Enabling AVR and creating Profiles

Get associated pool name from VIP IP using F5-LTM

Disacard SSL::cert mode to ignore when default SSLClient profile is set to request or require

Related Content

Reduce Login Friction with F5 Distributed Cloud Authentication Intelligence

Deploying F5 Distributed Cloud (XC) Services in Cisco ACI - Layer Three Attached Deployment

Deploying F5 Distributed Cloud (XC) Services in Cisco ACI - Layer Two Attached Deployment

SSL Orchestrator Advanced Use Cases: Reducing Complexity

F5 cleanup to reduce space