0

On my macOS 10.15 I have to use the Cisco AnyConnect Secure Mobility Client 4.8 to connect to the VPN of my university.

The connection is much slower than usual, probably because the MTU of 1300 is set too low.

Using the command ifconfig, i get this information about the connection:

utun2: flags=80d1<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1300
    inet ###.###.##.## --> ###.###.##.## netmask 0xfffffe00 
    inet6 ###::####:###:###:###%utun2 prefixlen 64 scopeid 0x10 
    inet6 ###:####:#:#::### prefixlen 128 
    nd6 options=201<PERFORMNUD,DAD>

(IP addresses have been anynomized with #)

How can I change this? I found nothing in the settings of the Cisco Client, not even in the configuration files.

A change in the system settings is of no use, via the terminal I tried the following: sudo ifconfig utun2 mtu 1470

The correct value is then displayed using the ifconfig command, but the connection itself does not change (neither the speed, nor the MTU value displayed here https://www.speedguide.net/analyzer.php). After reconnecting, the MTU is again registered at 1300.

How can I change the MTU effectively and permanently?

Improve this question
3
  • In general an MTU slightly too small is a good thing, too large is far worse. One would imagine the default is set to be a safe value. There's a calculator here but tbh, it's best left alone.
    – Tetsujin
    Commented Mar 20, 2020 at 10:33
  • MTU is normally changed in the router / VPN firewall. An MTU of 1500 is default and that is normally good for cable installations. For DSL hookups, MTU of 1492 or a bit less is good. As noted, too small is better than too large. So you may be OK.
    – anon
    Commented Mar 20, 2020 at 12:49
  • Tanks! I have cable, so 1300 is maybe really too small. I would have been nice to be able to test this...but for this I need to change the MTU. But perhaps really only my university admin can do this.
    – PeterCH
    Commented Mar 20, 2020 at 17:51

1 Answer 1

Reset to default
0

Since VPN encapsulation adds additional overhead to packets, reducing Maximum Transfer Units below the standard 1500 byte ethernet frame MTU helps to ensure that encapsulated packets are not fragmented.

To check for packet fragmentation, ping with the "do not fragment" switch can be used.

On my version of ping, MacOS High Sierra, I can specify a sweep size with the following options:

nevin% ping -g 1200 -G 1500 -D <remote host>

This gives a result:

1472 bytes from x.x.x.x: icmp_seq=64 ttl=48 time=108.894 ms 556 bytes from 192.168.2.1: frag needed and DF set (MTU 1492) Vr HL TOS Len ID Flg off TTL Pro cks Src Dst 4 5 00 d505 f712 0 0000 40 01 2739 192.168.2.111 x.x.x.x

My en0 MTU is 1500, but the response above is that my router has an MTU of 1492.

"Path MTU Discovery" will attempt to keep packet sizes below the fragmentation threshold of any link between two hosts, though this works best when ICMP is not being blocked along the way. (If you just begin to lose packets without any error messages, then ICMP is being blocked at some upstream point, and this might be the cause of your slow speeds: The remote host might be sending packets > than your local MTU, but not getting errors to tell it to scale back.

In short, trying to increase the size of MTU will not improve your performance.

Improve this answer
3
  • Thanks for the good explanation! Actually I just wanted to test if a modified MTU would improve the speed. But apparently that doesn't seem to be possible with this VPN Client.
    – PeterCH
    Commented Mar 20, 2020 at 17:50
  • By the way, the way with this ping command, where you set the parameter smaller and smaller in order to find the optimal size, seems to me easier. ping -f -l 1550 www.google.de (explained here hackaapl.com/mazimum-transmission-unit-mtu-frame-size-in-os-x)
    – PeterCH
    Commented Mar 20, 2020 at 17:55
  • I try not to flood ping; it might be faster, but more error-prone.
    – Nevin Williams
    Commented Mar 21, 2020 at 16:02

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .