How MTU set on router affect devices?

Question

This is more a question for clarification then a request for a solution. I've read a lot of questions and answers regarding MTU tweaks on routers and devices but I don't understand what's happening to my home setup.

My ISP gives me a solid 100 Mbps passive fiber optic connection to the Internet. I have no problems with regular sites and servers, but my corporate VPN (Cisco Any Connect) was always giving me timeouts when accessing company's intranet sites.

A simple ping test showed losses of about 45% (very high loss rate). Only when connected to the VPN.

Before reach the main ISP router (fiber) I have a Wifi router where my computer is conected to through Ethernet LAN port, so I'm using 2 routers in my setup.

 PC <--> WiFi Router (10.0.0.0/24) <--> ISP fiber router (192.168.1.0/24) <--> Internet

After a long time searching I started to tune up MTU in my Ethernet interface connected to corporate VPN using these commands (My computer is running Windows 10 Pro):

# Find the best MTU size without fragments
ping www.google.com -f -l 1294

# List interfaces and MTU
netsh interface ipv4 show interfaces

# List subinterfaces
netsh int ipv4 show subinterface

# Change MTU for Ethernet Card
netsh int ipv4 set subinterface "Ethernet" mtu=1294 store=persistent

As you can see, after a lot of tests I could find this value of 1294 as optimal. In fact with 1464 there was no fragmentation, but the Intranet sites only worked when I changed to 1294.

By now, setting 1294 on the PC I can access all intranet sites and connections flawlessly, without any dropout or timeout (the ping loss rate drops to <5%).

Then I turned back the value of my PC Ethernet card MTU to 1500 (the Windows default) and then changed MTU on my 2 routers to 1294 and rebooted them, rebooting my PC as well. I tryed to change only on each one at time, but changed on both in the end.

However... changing the MTU values on routers doesn't affect my PC connections. I need to change the MTU for the Ethernet card to work without errors when connecting to the VPN.

It should be that way?

BTW my ISP connection is pretty solid. Testing ping with many sites outside VPN gives me absolutely no losses.

Answer 1

The problem is likely that large packets don't work on your corporate network. I have never heard of this being a problem below an MTU of 1500, but nonetheless that seems to be the issue. What you are doing with ping breaks down (fragments) any packet larger than 1294 bytes so they may transit the network as smaller packets. The packets need to be reassembled back into their original size, usually on the machine you are talking to. The MTU setting applies this for all packets.

Now, VPN is transparent to fragmentation. If your router forces your VPN packets to be fragmented to yield to an MTU of 1294 bytes, then yes, these packets travel over the internet with a maximum size of 1294 bytes. The problem is the VPN server inside the corporate network will reassemble them back to full size and spit them out as full size packets. Thus, the buggy corporate network beyond the VPN server is seeing packets > 1294 bytes. You need to apply your MTU before VPN encapsulation. Thus packets leaving the VPN server will also be fragmented.