Hi, in our network design ( https://imgur.com/a/4mIiUl0), we have two paths for connectivity to AWS cloud from our data centre – one via Direct Connect (primary) and one via IPSec (secondary). The MSS observed on the Direct Connect in the syn packets is 1460. The MSS observed on the GRE over IPSec patch is 1374 obviously due to the additional overhead of the tunnelling. In the edge case where traffic, for whatever reason, leaves the private cloud environment and returns via the Direct Connect, I have observed an issue where due to the MSS that the servers on the AWS side announces, certain packets (the ones I have seen that fails have DF set) can be sent back over the IPSec path that are larger than the maximum MSS and are subsequently dropped. My questions as follows:
- What is the best way from a design perspective to cater for this?
1.1 Would one way be to artificially adjust the MSS of syn and syn, ack packets on R1?
1.2 Or is the key for MTU to be adjusted on the relevant interfaces on R1?
- What actually happens with established TCP sessions when routing changes from tx and rx over the Direct Connect to tx via IPSec and rx via Direct Connect?
2.1 Will sessions need to be re-established?
2.2 What role does PMTUD play in this scenario?
Thank you
No comments:
Post a Comment