Had to significantly lower my MTU to get good performance with secured connections

Forums › New Zealand Broadband › Had to significantly lower my MTU to get good performance with secured connections

Agent24

89 posts

Master Geek
+1 received by user: 19

#16080 24-Sep-2007 10:14

First, a bit of background - sorry it's so long:

Ever since I got ADSL (~2 years now) it's been overall fine for whatever I've wanted to use it for.

However, recently (and I don't really know when but certainly not that long ago) I noticed that the speed of some (in fact most) secure connections were absolutely terrible.

This was mainly brought to my attention when I started trying to use Gmail with POP3 to OE. Since Google recently made their Gmail POP3 server require secure connections, it was almost impossible to use because downloads were extremely (say 0.2kB per 3 seconds - measured with netmeter) slow and there were almost always timeouts so email could effectively NEVER be downloaded to my OE.

I just kinda ignored it and used the Gmail webmail whenever I needed to use Gmail (though I hate the conversation style and the fact that you now can't turn that off)

Problem came back when Xtra upgraded to Yahoo!Xtra Pro Mail and also needed secure connections. BIG PROBLEM. Since I use my Xtra email constantly, having completely useless performance was not so good. I rang Telecom who of course just told me "It should be working" - But I was able to fix the problem by using the old (non-secured) settings. I had not been able to do this before, maybe my call to Telecom got them to change something?

Anyway they changed it back again and non-secured didn't work anymore, and I was also starting to find problems with some secured websites (HTTPS) as well.

During all this I had been trying all sorts of things, other programs, other routers, other PCs. Nothing worked. I couldn't figure it out - until I took my PC to a LAN party at a friends house and decided to check my email. It downloaded perfectly. So I thought, no matter how weird this sounds, it's got to be a problem with my actual internet connection, as I'd eliminated everything else.

So I rang Telecom again, and told them that secured connections were completely useless for me, and that as I'd tried everything else and it worked on another internet connection, it HAD to be their fault. So they did a port reset, which unfortunately did nothing, and I couldn't be bothered calling them again as it was 10PM.

Lazy people start reading here:

So the next day I googled around, posted on PressF1 and came up with the conclusion that if my MTU was set too high, packet fragmentation could occur, which apparently secure servers don't like much at all.

I lowered the MTU as low as I could (1000, down from 1500 - which is the lowest this Dynalink RTA-230 can go) and surprise! Secure email and websites worked like they should!

Now as far as I know, 1500 (or 1492) is the DEFAULT in almost all ADSL routers, WHY then does my connection have to have a significantly LOWER setting, and WHY did the default work for so long, only to cause problems NOW?

Non-system disk or disk error. Replace and strike any key when ready.

pando

235 posts

Master Geek

#87881 24-Sep-2007 13:03

I had trouble getting my Gigabit LAN running faster than 100MBs and solved it by getting a program called TCPOptimizer to tweak the windows settings (window sizes, MTU, etc). I guess any optimiser will do but it'll find the best settings for MTU and other stuff that helps. Needless to say our Gigabit LAN runs considerably better but the largest MTU I can use safely on the net is 1453.

exportgoldman

1202 posts

Uber Geek
+1 received by user: 3

Trusted

#87882 24-Sep-2007 13:03

I believe 1500 is the MTU for ethernet, and 1458 is the MTU for ADSL in NZ.

To test, set your router back to 1500 and try the following command with different values for mtusize

ping www.google.co.nz -f -l mtusize

Even though my router is set to 1458, the highest I can get in my ping is 1430 because Windows seems to not add the 18 byte packet header to the value of the size.

e.g, I suspect the ping command of 1430 is sending a packet of 1458 bytes.

So - to fix, change your router to 1458 and your router *should* repacket the data in the correct MTU size. you can also set this via tweaking tools like DrTCP.

Tyler - Parnell Geek - iPhone 3G - Lenovo X301 - Kaseya - Great Western Steak House, these are some of my favourite things.

kdn

203 posts

Master Geek
+1 received by user: 7

#87883 24-Sep-2007 13:07

There should be no reason to ever go below 1400 mtu (for general internet protocols)

If you are using encryption then yes a large 1500 packet may be encapsulated inside another packet which leads to a packet being larger than 1500 bytes so the router has to split it up and then have it rearranged at the other end.. for real-time data this can cause bad performance.

The mtu setting on your router should have no effect on websites using SSL

can you close any programme that uses the internet,open a command prompt and type "netstat" and post the results, also if your running xp you might want to check for updates online.

what browser are you using?

Flamer.

exportgoldman

1202 posts

Uber Geek
+1 received by user: 3

Trusted

#87913 24-Sep-2007 15:17

kdn: There should be no reason to ever go below 1400 mtu (for general internet protocols)

If you are using encryption then yes a large 1500 packet may be encapsulated inside another packet which leads to a packet being larger than 1500 bytes so the router has to split it up and then have it rearranged at the other end.. for real-time data this can cause bad performance.

The mtu setting on your router should have no effect on websites using SSL

can you close any programme that uses the internet,open a command prompt and type "netstat" and post the results, also if your running xp you might want to check for updates online.

what browser are you using?

Flamer.

Hate to disagree, but a common sign of a MTU set too high is unable to use things like HTTPS etc. Your right about not going lower than 1400.

The packets don't get encapsulated, they get split up I believe, but routers sometimes don't do this and then the packets simply drop on the floor, this is why Windows XP has MTU path settings, and black hole router detection (some routers don't tell XP the packets are too big.)

Just set your packet size to 1452 in the router and possibly the PC and all will be good in the world :-)

Tyler - Parnell Geek - iPhone 3G - Lenovo X301 - Kaseya - Great Western Steak House, these are some of my favourite things.

barf

643 posts

Ultimate Geek

#87920 24-Sep-2007 15:45

another common cause is budget firewalls that don't handle ICMP correctly, default Windows Firewall is an example of this. it ignores ICMP echo requests and god knows what else.

Sniffing the glue holding the Internet together

Fraktul

836 posts

Ultimate Geek

Trusted

#87930 24-Sep-2007 16:32

And stupid network admin's - ICMP is there for a reason people, dealing with fragmentation is just one of those reasons.

Lego

Shop now for Lego sets and other gifts (affiliate link).

Agent24

89 posts

Master Geek
+1 received by user: 19

#87936 24-Sep-2007 16:49

Can't have been my firewall, for a start I never use the windows firewall

my main PC on which I had the problem had been using Norton Internet Security 2005 (which secure connections had previously been working fine with)

The other PC has Comodo firewall pro, and the emails also had problems there.

I removed NIS2005 after getting sick of it and put Comodo on that PC also, but emails still didn't work.

Honestly, all I can think of is that it's something to do with Go Large which I switched to recently (maybe the p2p shaping is screwing something up - but that would be pretty stupid on telecom's part)

that, or telecom changed something at their end and never told anyone

[EDIT (RC): changed name of software, typo?]