-
Notifications
You must be signed in to change notification settings - Fork 21.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
MTU recommendation about Azure VMs #69477
Comments
I understand your point – but “probably not”. For a couple reasons.
1. We can’t control the internet path, so, unless you stay on microsoft network, then you’re likely to get fragmented somewhere along the way
2. Most packets are much smaller than 1400 or 1500 – so there’s no risk of fragmentation
It’s probably best to take a position that “fragmentation isn’t bad”. And, I think there’s been a fix recently where Azure will correctly re-assemble out of order fragments – but customers have to opt-in to it.
Thanks
From: Alex_Yin <notifications@github.com>
Sent: Tuesday, January 26, 2021 12:28 PM
To: MicrosoftDocs/azure-docs <azure-docs@noreply.github.com>
Cc: JR Mayberry <rimayber@microsoft.com>; Mention <mention@noreply.github.com>
Subject: [MicrosoftDocs/azure-docs] MTU recommendation about Azure VMs (#69477)
[Enter feedback here]
In this article, it is mentioned Azure platform MTU is 1400 and out of order fragment will be droped due to Linux OS.
Should we recommend to set Azure VM MTU to 1400?
Any difference about TCP and UDP fragmentation processing in azure platform?
Azure and VM MTU
The default MTU for Azure VMs is 1,500 bytes. The Azure Virtual Network stack will attempt to fragment a packet at 1,400 bytes.
Note that the Virtual Network stack isn't inherently inefficient because it fragments packets at 1,400 bytes even though VMs have an MTU of 1,500. A large percentage of network packets are much smaller than 1,400 or 1,500 bytes.
Azure and fragmentation
Virtual Network stack is set up to drop "out of order fragments," that is, fragmented packets that don't arrive in their original fragmented order. These packets are dropped mainly because of a network security vulnerability announced in November 2018 called FragmentSmack.
FragmentSmack is a defect in the way the Linux kernel handled reassembly of fragmented IPv4 and IPv6 packets. A remote attacker could use this flaw to trigger expensive fragment reassembly operations, which could lead to increased CPU and a denial of service on the target system.
…________________________________
Document Details
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
* ID: d9e17ce9-1b86-b744-f5c8-c86db7267376
* Version Independent ID: 915a5706-f1ba-525e-a8dc-338574e3c3f7
* Content: TCP/IP performance tuning for Azure VMs<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fvirtual-network%2Fvirtual-network-tcpip-performance-tuning%23azure-and-fragmentation&data=04%7C01%7Crimayber%40microsoft.com%7C7f1248fa823f4a261ab708d8c1bb1dd6%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637472356728791665%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=fybUeRJ5wzI3FOdpuIr7GJ6sdgNKhBOBOBXkA9llZW4%3D&reserved=0>
* Content Source: articles/virtual-network/virtual-network-tcpip-performance-tuning.md<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FMicrosoftDocs%2Fazure-docs%2Fblob%2Fmaster%2Farticles%2Fvirtual-network%2Fvirtual-network-tcpip-performance-tuning.md&data=04%7C01%7Crimayber%40microsoft.com%7C7f1248fa823f4a261ab708d8c1bb1dd6%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637472356728801657%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=SZMPUakjIHKrfew7%2BTK8uST9GdmWCs0uwkGqzi3C0%2FY%3D&reserved=0>
* Service: virtual-network
* GitHub Login: @rimayber<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Frimayber&data=04%7C01%7Crimayber%40microsoft.com%7C7f1248fa823f4a261ab708d8c1bb1dd6%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637472356728806642%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=%2FOdzK%2FeHqRbzXBg78eZfYcI9Awc02ykO6HuZdvqRpSw%3D&reserved=0>
* Microsoft Alias: rimayber
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FMicrosoftDocs%2Fazure-docs%2Fissues%2F69477&data=04%7C01%7Crimayber%40microsoft.com%7C7f1248fa823f4a261ab708d8c1bb1dd6%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637472356728811633%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=SrSQHB4B7nXqvRMV5CXiM%2BtQvwXMo8mJPqBD129M8ms%3D&reserved=0>, or unsubscribe<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FALVZVKPUDLGBFW6AGLSWOLDS3ZHFHANCNFSM4WS3XGAA&data=04%7C01%7Crimayber%40microsoft.com%7C7f1248fa823f4a261ab708d8c1bb1dd6%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637472356728816624%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=di%2BWjkNcCYycjRbda4640AMPgcQqQxWdgQp7BHgPvjg%3D&reserved=0>.
|
thanks @rimayber. I agree with "fragmentation is not bad", but still confusing with why Azure Virtual Network stack will attempt to fragment a packet at 1,400 bytes and then it might be dropped due to "out of order". Given a more straightforward example: If there is an TCP/IP packet from internet to Azure, it is 1460 bytes (payload length) + 20 bytes (TCP header) + 20 Bytes (IP header) = 1500 Bytes ,
|
Well, the math about 1400 vs 1500 has to consider virtual network tunneling protocols adding encapsulation from the host. Adds more to the packet size.
So, that is likely the reason for 1400.
But, I think your assumptions are correct - although if you're trying to get exact technical detail, then we should ask expand audience.
I believe this problem is specific to UDP.
RNM TSG (eng.ms)<https://eng.ms/docs/cloud-ai-platform/azure/azure-core-networking/sdn/regional-network-manager/rnm-tsg/troubleshooting/enable-udp-fragment-reordering>
From: Alex_Yin <notifications@github.com>
Sent: Tuesday, January 26, 2021 5:55 PM
To: MicrosoftDocs/azure-docs <azure-docs@noreply.github.com>
Cc: JR Mayberry <rimayber@microsoft.com>; Mention <mention@noreply.github.com>
Subject: Re: [MicrosoftDocs/azure-docs] MTU recommendation about Azure VMs (#69477)
thanks @rimayber<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Frimayber&data=04%7C01%7Crimayber%40microsoft.com%7C7b26682fc2d144e1eee908d8c1e8d9c8%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637472553128055439%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=i3WxXxKb9yHbMksG3e8v4ZmXQaJnsgjY1vXOxdg0bn0%3D&reserved=0>.
I agree with "fragmentation is not bad", but still confusing with why Azure Virtual Network stack will attempt to fragment a packet at 1,400 bytes and then it might be dropped due to "out of order".
Given a more straightforward example: If there is an TCP/IP packet from internet to Azure, it is 1460 bytes (payload length) + 20 bytes (TCP header) + 20 Bytes (IP header) = 1500 Bytes ,
1. so azure platform will fragment it to two pieces 1400 + 60 ?
2. If those two fragmented packets reach to destinaiton in azure by "out of oder", it is possible to be dropped due to (Virtual Network stack is set up to drop "out of order fragments,") ?
3. if those "out of order" fragmented packets are coming from internet , I mean when they reach to azure destination, they will be dropped by azure due to the same reason?
-
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FMicrosoftDocs%2Fazure-docs%2Fissues%2F69477%23issuecomment-767464923&data=04%7C01%7Crimayber%40microsoft.com%7C7b26682fc2d144e1eee908d8c1e8d9c8%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637472553128060430%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=6eu5T8b1y2NFFOmCAGF%2FaxwnhatArs9W5rIqdLeZQrE%3D&reserved=0>, or unsubscribe<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FALVZVKNQVSCNNN6TVDZRE6DS32NQ3ANCNFSM4WS3XGAA&data=04%7C01%7Crimayber%40microsoft.com%7C7b26682fc2d144e1eee908d8c1e8d9c8%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637472553128065419%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=FDwJAGHkAoJD7%2BbN5vEIm3kK1cwArDjeEk7xiJyV%2FzA%3D&reserved=0>.
|
Yes, the out of order fragmentation could occur in azure cloud due to multi-path. About TCP out of order fragmented packets, it seems we have reassable capability on azure destination and rare issue is reported for that. But for UDP out of order fragmentated packets, we need to enable this UDP re-ordering flag for specific subscrition per region. Just want to confirm if we have such difference for TCP and UDP, if yes, should we add more detailed description about azure drop "out of order" fragmentation packets? Azure and fragmentation |
Can you propose changes or make the updates?
From: Alex_Yin <notifications@github.com>
Sent: Tuesday, January 26, 2021 8:15 PM
To: MicrosoftDocs/azure-docs <azure-docs@noreply.github.com>
Cc: JR Mayberry <rimayber@microsoft.com>; Mention <mention@noreply.github.com>
Subject: Re: [MicrosoftDocs/azure-docs] MTU recommendation about Azure VMs (#69477)
Yes, the out of order fragmentation could occur in azure cloud due to multi-path. About TCP out of fragmented packets, it seems we have reassable capability azure destination and rare issue is reported for that.
But for UDP out of oder fragmentated packets, we need to enable this UDP re-ordering flag for specific subscrition per region.
Just want to confirm if we have such difference for TCP and UDP, if yes, should we add more detailed description about azure drop "out of order" fragmentation packets?
Azure and fragmentation
Virtual Network stack is set up to drop "out of order fragments," that is, fragmented packets that don't arrive in their original fragmented order. These packets are dropped mainly because of a network security vulnerability announced in November 2018 called FragmentSmack.
-
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FMicrosoftDocs%2Fazure-docs%2Fissues%2F69477%23issuecomment-767533419&data=04%7C01%7Crimayber%40microsoft.com%7C532c41f049ac4c9b6fe608d8c1fc6534%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637472637062453624%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=91OF7unVs5h3GCSwVFGTL2MxGnEouhN9v6JCKiYqmwE%3D&reserved=0>, or unsubscribe<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FALVZVKLEUCNJPS55PLVURHDS3255RANCNFSM4WS3XGAA&data=04%7C01%7Crimayber%40microsoft.com%7C532c41f049ac4c9b6fe608d8c1fc6534%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637472637062458621%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=sAoAy4OIlqXiv1PAKgkAEIJslZQULOLSUoqcQs5PAEU%3D&reserved=0>.
|
According to the description of "Azure and fragmentation" part, the "out of order" fragments will be dropped. Is it partially untrue? If it is TCP "out of order" fragmented packets, azure destination can reassemable them and will not drop them. If it is UDP "out of order" fragmented packets, it is by design azure destination will drop them. But we have option to enable "enable-udp-fragment-reordering" to reassemable those packets to avoid dropping. |
Does this enable-udp-fragment-reordering option really exist? The only place I have found mention of this option is indeed in this thread? but nowhere else. |
It does, I had to ask for it to resolve an issue with a UDP app. The support person wasn't sure about it until I linked this thread and was able to get rimayber to help. It is weird, but I don't think MS wants to accept that fragmenting UDP results in tons of out of order packets on the other end, screwing with some apps. I wish they didn't bother fragmenting anything below 1400, seems like a great way to create weird problems. |
@hotgore could you please provide a bit information how to set this "enable-udp-fragment-reordering" option ? Troubleshooting a Radius EAP-TLS Authentication issue and seems it's related with IPSec to Azure and fragmented UDP datagram lost. |
Thanks @rimayber , I tried https://supportability.visualstudio.com/AzureNetworking/_wiki/wikis/ANPTA%20Wiki/444499/Enable-UDP-Fragment-Reordering-on-a-Subscription but I don't have access. |
I open a support ticket for "enable-udp-fragment-reordering". Best, |
I was just informed of this discussion, and I would tend to disagree with "fragmentation is not bad." It causes a whole host of issues, for which the entire QUIC protocol (built on UDP and the really the next protocol for the internet) has taken the stance to set the "Don't Fragment" bit to make sure fragmentation doesn't happen. But to that end, does the Azure network stack fully respect this bit? Or is there some virtualization layer that does some kind of fragmentation regardless? If so, that's really bad. BTW, I don't understand the reasoning for this claim: "Most packets are much smaller than 1400 or 1500 – so there’s no risk of fragmentation". Generally, smart protocols will dynamically discover the largest MTUs that "work". But if the network fragments the larger MTUs it ends up causing more problems... |
@nibanks I agree. These statements seem to be fabricated. They are not supported by real data:
In the same sense have commented an issue which was closed without any sound reasoning: #65888 (comment)
Are you sure? The "Don't Fragment" bit is normally being set by the operating system as part of the Path MTU Discovery algorithm. |
About what part? The OS is involved in TCP based communication and may use the Don't Fragment bit when doing PMTUD, yes. When it's done in QUIC, the OS isn't necessarily involved in anything more than providing a UDP socket. Then, it's the app layer that's telling the UDP socket to set the Don't Fragment bit. |
UDP Fragmentation is a pain in Azure, I have special a problem with EAP-TLS in Radius UDP packet:
So a final rule of thumb, running 802.1x EAP traffic, Radius server in Azure or sending 802.1x radius traffic through Azure you have to be very, very careful, due to the UDP fragmentation issue / rules in Azure breaking the RFC. Microsoft should make sure that Azure vNet follows the RFC, and not blame it on some "security reason here and there" breaking the entire UDP stack. If they have a problem with the RFC in the UDP protocol, then work on changing the RFC. |
@fedda-no I had same problem using FortiAuthenticator as Radius server, Fortigate as site2site VPN server in Azure. EAP-TLS cert based authentication some time work, sometime not, reason is fragmented UDP datagram got lost. Fortigate has a "set ip-fragmentation pre-encapsulation" option and that ( plus reduce MTU) fixed the problem for me. |
Did changing the MTU fix the issue? |
Thank you for you dedication to our documentation.Unfortunately, we have been unable to review this issue in a timely manner. We sincerely apologize for the delayed response. We are closing this issue. If you feel that the problem persists, please respond to this issue with additional information. Please continue to provide feedback about the documentation. We appreciate your contributions to our community. #please-close |
How is this issue resolved?
…On Fri, Mar 17, 2023 at 7:57 PM Allen Sudbring ***@***.***> wrote:
Thank you for you dedication to our documentation.
Unfortunately, we have been unable to review this issue in a timely
manner. We sincerely apologize for the delayed response. We are closing
this issue. If you feel that the problem persists, please respond to this
issue with additional information.
Please continue to provide feedback about the documentation. We appreciate
your contributions to our community.
#please-close
—
Reply to this email directly, view it on GitHub
<#69477 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AA74HIPEBNRDAGTYQX46K2LW4SX3BANCNFSM4WS3XGAA>
.
You are receiving this because you commented.Message ID:
***@***.***>
|
Can you enlighten me as to how exactly this issue is "resolved"?
…On Fri, Mar 17, 2023 at 7:57 PM Allen Sudbring ***@***.***> wrote:
Thank you for you dedication to our documentation.
Unfortunately, we have been unable to review this issue in a timely
manner. We sincerely apologize for the delayed response. We are closing
this issue. If you feel that the problem persists, please respond to this
issue with additional information.
Please continue to provide feedback about the documentation. We appreciate
your contributions to our community.
#please-close
—
Reply to this email directly, view it on GitHub
<#69477 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AA74HIPEBNRDAGTYQX46K2LW4SX3BANCNFSM4WS3XGAA>
.
You are receiving this because you commented.Message ID:
***@***.***>
|
In my case, you have to triple check that Azure Support actually have enable in the vnet / vwan setup. My problem was that Azure support said it was, when in reality it wasn’t, and after getting another SME they finally got it enable correctly. Get Azure Support to enable enable-udp-fragment-reorderingThen you do not need to play around with mtu size etc…Regards,Fredrik E. Jensen17. mar. 2023 kl. 20:01 skrev gideonoost ***@***.***>:
Can you enlighten me as to how exactly this issue is "resolved"?
On Fri, Mar 17, 2023 at 7:57 PM Allen Sudbring ***@***.***> wrote:
Thank you for you dedication to our documentation.
Unfortunately, we have been unable to review this issue in a timely
manner. We sincerely apologize for the delayed response. We are closing
this issue. If you feel that the problem persists, please respond to this
issue with additional information.
Please continue to provide feedback about the documentation. We appreciate
your contributions to our community.
#please-close
—
Reply to this email directly, view it on GitHub
<#69477 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AA74HIPEBNRDAGTYQX46K2LW4SX3BANCNFSM4WS3XGAA>
.
You are receiving this because you commented.Message ID:
***@***.***>
—Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you were mentioned.Message ID: ***@***.***>
|
Issue is not resolved. Funny that Microsoft requires customers to ask for a secret flag to fix their broken network design. Yeah, build the network on GRE in a way so customers can't use GRE themselves, keep the MTU default so you have to fragment, and then take a stateless protocol, fragment it and deliver the fragments out of order. No one in the world would think that fragmenting UDP packets and delivering them out of order is a good idea. When customers complain their only option is the secret code word whereby the customer can't actually verify it is enabled. This idiocy will only get worse as more and more protocols use UDP (QUIC). |
I'm having a problem with an RTSP server, which emits RTP payload at maximum 1472 bytes. This renders to max 1514 bytes on ETH, surely too big for MTU 1500. I traced the output of the Azure network interface I have access to and found, that all UDP packages left with I managed to convince the nice developer to provide me a means to reduce the RTP payload size. And already the first attempt was a success (payload 1400). I think the max RTP payload is somewhat like 1458, wich in turn would render to ETH 1500. Full story bluenviron/mediamtx#1588 Not sure, why everybody says Azure fragments at 1400... |
for me... your 'fix in progress' is what resolve our auth issues. Setting the MTU on the ISE node to 1300 did the trick. |
[Enter feedback here]
In this article, it is mentioned Azure platform MTU is 1400 and out of order fragment will be droped due to Linux OS.
Should we recommend to set Azure VM MTU to 1400?
Any difference about TCP and UDP fragmentation processing in azure platform?
Azure and VM MTU
The default MTU for Azure VMs is 1,500 bytes. The Azure Virtual Network stack will attempt to fragment a packet at 1,400 bytes.
Note that the Virtual Network stack isn't inherently inefficient because it fragments packets at 1,400 bytes even though VMs have an MTU of 1,500. A large percentage of network packets are much smaller than 1,400 or 1,500 bytes.
Azure and fragmentation
Virtual Network stack is set up to drop "out of order fragments," that is, fragmented packets that don't arrive in their original fragmented order. These packets are dropped mainly because of a network security vulnerability announced in November 2018 called FragmentSmack.
FragmentSmack is a defect in the way the Linux kernel handled reassembly of fragmented IPv4 and IPv6 packets. A remote attacker could use this flaw to trigger expensive fragment reassembly operations, which could lead to increased CPU and a denial of service on the target system.
Document Details
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
The text was updated successfully, but these errors were encountered: