Problem Background
A user reported potential MTU issues affecting network communication. Specifically, a remote user connected to a branch office via an ISP MPLS line but failed to access a system management page through a browser. In contrast, local users successfully accessed the same page. Basic checks at the network layer confirmed that the connection was operational: the remote user’s PC was able to ping the system server, and Telnet to port 80 functioned properly. However, web requests for graphical data were unsuccessful. Given the typical characteristics of MTU issues and the availability of comprehensive packet data for analysis, this case is presented for further examination.
Case Analysis from Wireshark Official Q&A Forum
Normal Operation
The packet capture data for a local user with normal web access is as follows:
- The packets were captured on the client side.
- The TCP three-way handshake is normal, with a client MSS of 1260, a server MSS of 1460, and an RTT of 0.025316 seconds, with SACK not supported.
- The client’s HTTP GET request results in a 301 redirect from the server, followed by a normal GET and a 200 response.
- The server has delay acknowledgment enabled and can transmit up to the maximum MSS of 1260, with packets of 1314 bytes in length.
Abnormal Operation
The packet capture data for a remote user experiencing web access issues is as follows:
- The packets were also captured on the client side.
- The TCP three-way handshake is normal, with a client MSS of 1260, a server MSS of 1460, and an RTT of 0.045647 seconds, which is indeed higher than the local access RTT, with SACK not supported.
- The client’s HTTP GET request again results in a 301 redirect from the server, followed by a normal GET and a 200 response.
- The server also has delay acknowledgment enabled.
- During the data transmission phase, there are continuous instances of “[TCP Previous segment not captured]” messages. The maximum transmission length from the server is only 654 bytes. Compared to the data packets from the normal operation, the cause of the fault is already clear: the client failed to properly receive the server’s MSS 1260 data packets.
- Frame 13 indicates a Seq of 2944 – 424 = 2520, suggesting that two MSS packets may have been lost earlier.
- Frames 15 and 17 present similar issues. The client also shows a “[TCP Dup ACK 14#]” message, requesting the server to retransmit the segment with Seq 424.
- The packets sent by the server have the IP header set to “Don’t fragment,” indicating no fragmentation is allowed.
Problem Summary
Based on the analysis, it is confirmed that there is an MTU issue. It appears that there is a small MTU device in the ISP transmission path, and the packets sent by the server are set to not fragment, leading to packet loss. As a result, the client cannot properly receive the packets, causing abnormal behavior when accessing the web management page. MTU issues are common in wide area networks and can be detected using ping tests to large packets with fragmentation disabled or by capturing packets directly.