Tips & Tricks: TCP MSS Adjustments (Plus Video!)

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Community Team Member



The Maximum Transmission Unit (MTU) specifies the largest amount of data that can be transmitted by a protocol in one Transmission Control Protocol (TCP) segment. The MTU size of an Ethernet interface is 1500 bytes by default. If you take out the 20 bytes for the IP header and the 20 bytes for the TCP header, then you are left with the remaining 1460 bytes of the payload that can be transmitted in one frame. This is what we refer to as TCP MSS (Maximum Segment Size). Don't worry, that's the last acronym I'll spell out for you in this blog!


The larger the TCP MSS is, the less overhead you have—but the more that needs to be retransmitted in case of a problem. The larger frame also means increased latency due to time necessary to transmit. The smaller the TCP MSS is, the more overhead you'll have, but less to retransmit if there is a problem. For the implementation of ethernet, 1500 was picked as a compromise value.


That said, it might be useful to tweak it's size to best fit your network. Most commonly, this is applied on tunneled traffic.

Traffic will generally add a certain number of bytes to the original size of the packet for such things as an MPLS header, ESP header or tunneled traffic that has a VLAN tag.


One thing to keep in mind is that the header may vary in size.


Note: If the MTU on a device is hard set it is possible for the tunnel to fail and break any path MTU algorithm. Which is why you would implement TCP MSS adjustments.


For example, if the original packet size is 1465 bytes and the ESP header is 36 bytes, the resulting tunneled packet ends up to be larger than 1500 bytes (MTU), causing slowness and sluggishness between IPSec peers because of packet fragmentation.


Enabling the option "Adjust TCP MSS" to automatically adjust MSS on the interface terminating the tunnel will resolve that issue by adjusting the MTU to compensate for the extra encapsulation.




If you prefer working with the CLI you can use the following commands to enable/configure this feature:




admin> configure
Entering configuration mode
admin# set network interface ethernet ethernet1/1 layer3 adjust-tcp-mss enable yes ipv4-mss-adjustment 40







For an actual use-case example/KB article, check out TCP MSS adjustment for IPSec traffic.

How have you been using this feature? Feel free to share your questions, comments and ideas in the section below.
Thank you for taking the time to read this blog.
Don't forget to hit the Like (thumbs up) button and to Subscribe to the LIVEcommunity Blog area.
Stay secure!
Kiwi out
Register or Sign-in