Community discussions

MikroTik App
 
myUsername1
just joined
Topic Author
Posts: 1
Joined: Wed Aug 17, 2022 3:04 pm

L3VPN fragmentation problem

Wed Aug 17, 2022 3:15 pm

Hello!
I have a lab with L3VPN between two CHR 7.4.1.

Client 1 - (vrf A) CHR 1 (vrf main) - internet - (vrf main) CHR 2 (vrf A) - Client 2

Everything works fine except TCP. When I test troughput with iperf3, I got less than 1mb, but on UDP it`s about 300mb.
Some investiagtion showed that the problem is only with TCP and MPLS. If I write static routes between vrfA and main - iperf3 shows 300mb as expected.
If I run iperf with flag "set-mss 500" I see 2 types of packets: small (500+) and doubled(1000+). first type of packets pass via tunnel fine, but if packet length is more than MSS on session between clients - I see drops on GRE TX. In the same time I`m able to throw ICMP/UDP packets more than 1000bytes without any problems.
All features like fasttrack are disabled, firewall doesn`t contain any rules.
[admin@MikroTik] > /ip/firewall/export
/ip firewall mangle
add action=change-mss chain=forward new-mss=1300 out-interface=nr_gre_1_1-3_2 passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=1301-65000
[admin@MikroTik] >


[admin@MikroTik] > /ip/address/print
Columns: ADDRESS, NETWORK, INTERFACE
# ADDRESS            NETWORK       INTERFACE
0 192.168.19.31/23   192.168.18.0  ether1
1 192.168.16.180/23  192.168.16.0  ether2
2 172.19.0.1/32      172.19.0.1    nr_dummy_vrf
3 172.18.11.21/32    172.18.11.21  nr_loop_1_1-2_1
4 10.11.32.1/24      10.11.32.0    nr_gre_1_1-3_2
5 172.18.11.32/32    172.18.11.32  nr_loop_1_1-3_2

[admin@MikroTik] > /ip/vrf/print
Flags: X - disabled; * - builtin
 0    name="transit" interfaces=ether2,nr_dummy_vrf

 1  * name="main" interfaces=all

[admin@MikroTik] > /interface/gre/print
Flags: X - disabled; R - running
 0  R name="nr_gre_1_1-3_2" mtu=auto actual-mtu=1434 local-address=192.168.19.31 remote-address=212.x.x.x keepalive=2s,8 dscp=inherit
      clamp-tcp-mss=yes dont-fragment=inherit ipsec-secret="password" allow-fast-path=no

[admin@MikroTik] > /routing/bgp/export
# aug/16/2022 16:38:14 by RouterOS 7.4.1
# software id =
#
/routing bgp connection
add address-families=ip,vpnv4 as=65001 disabled=no hold-time=4s keepalive-time=1s local.address=172.18.11.32 .role=ebgp multihop=yes name=nr_bgp_1_1-3_2 \
    output.filter-chain=med_primary .redistribute=static remote.address=172.18.32.11 .as=65002 router-id=nr_id
/routing bgp vpn
add export-route-targets=1:1 import-route-targets=1:1 label-allocation-policy=per-vrf route-distinguisher=1:1 vrf=transit


[admin@MikroTik] > /mpls/export
# aug/16/2022 16:38:24 by RouterOS 7.4.1
# software id =
#
/mpls interface
add disabled=no interface=ether1
add disabled=no interface=nr_gre_1_1-3_2
/mpls ldp
add lsr-id=172.19.0.1 transport-addresses=172.19.0.1
/mpls ldp interface
add accept-dynamic-neighbors=yes hello-interval=1s hold-time=4s interface=ether1 transport-addresses=172.18.11.21
add accept-dynamic-neighbors=yes hello-interval=1s hold-time=4s interface=nr_gre_1_1-3_2 transport-addresses=172.18.11.32

I`ve tried to play with MSS, with tunnels type, but not successful.
Also bttest between CHRs shows me expected 300mb, so the problem happens only with transit traffic

Who is online

Users browsing this forum: Semrush [Bot] and 5 guests