Community discussions

MikroTik App
just joined
Topic Author
Posts: 1
Joined: Wed Aug 17, 2022 3:04 pm

L3VPN fragmentation problem

Wed Aug 17, 2022 3:15 pm

I have a lab with L3VPN between two CHR 7.4.1.

Client 1 - (vrf A) CHR 1 (vrf main) - internet - (vrf main) CHR 2 (vrf A) - Client 2

Everything works fine except TCP. When I test troughput with iperf3, I got less than 1mb, but on UDP it`s about 300mb.
Some investiagtion showed that the problem is only with TCP and MPLS. If I write static routes between vrfA and main - iperf3 shows 300mb as expected.
If I run iperf with flag "set-mss 500" I see 2 types of packets: small (500+) and doubled(1000+). first type of packets pass via tunnel fine, but if packet length is more than MSS on session between clients - I see drops on GRE TX. In the same time I`m able to throw ICMP/UDP packets more than 1000bytes without any problems.
All features like fasttrack are disabled, firewall doesn`t contain any rules.
[admin@MikroTik] > /ip/firewall/export
/ip firewall mangle
add action=change-mss chain=forward new-mss=1300 out-interface=nr_gre_1_1-3_2 passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=1301-65000
[admin@MikroTik] >

[admin@MikroTik] > /ip/address/print
0  ether1
1  ether2
2    nr_dummy_vrf
3  nr_loop_1_1-2_1
4    nr_gre_1_1-3_2
5  nr_loop_1_1-3_2

[admin@MikroTik] > /ip/vrf/print
Flags: X - disabled; * - builtin
 0    name="transit" interfaces=ether2,nr_dummy_vrf

 1  * name="main" interfaces=all

[admin@MikroTik] > /interface/gre/print
Flags: X - disabled; R - running
 0  R name="nr_gre_1_1-3_2" mtu=auto actual-mtu=1434 local-address= remote-address=212.x.x.x keepalive=2s,8 dscp=inherit
      clamp-tcp-mss=yes dont-fragment=inherit ipsec-secret="password" allow-fast-path=no

[admin@MikroTik] > /routing/bgp/export
# aug/16/2022 16:38:14 by RouterOS 7.4.1
# software id =
/routing bgp connection
add address-families=ip,vpnv4 as=65001 disabled=no hold-time=4s keepalive-time=1s local.address= .role=ebgp multihop=yes name=nr_bgp_1_1-3_2 \
    output.filter-chain=med_primary .redistribute=static remote.address= .as=65002 router-id=nr_id
/routing bgp vpn
add export-route-targets=1:1 import-route-targets=1:1 label-allocation-policy=per-vrf route-distinguisher=1:1 vrf=transit

[admin@MikroTik] > /mpls/export
# aug/16/2022 16:38:24 by RouterOS 7.4.1
# software id =
/mpls interface
add disabled=no interface=ether1
add disabled=no interface=nr_gre_1_1-3_2
/mpls ldp
add lsr-id= transport-addresses=
/mpls ldp interface
add accept-dynamic-neighbors=yes hello-interval=1s hold-time=4s interface=ether1 transport-addresses=
add accept-dynamic-neighbors=yes hello-interval=1s hold-time=4s interface=nr_gre_1_1-3_2 transport-addresses=

I`ve tried to play with MSS, with tunnels type, but not successful.
Also bttest between CHRs shows me expected 300mb, so the problem happens only with transit traffic

