MTU recommendation about Azure VMs

[yinoa]

[Enter feedback here]
In this article, it is mentioned Azure platform MTU is 1400 and out of order fragment will be droped due to Linux OS.

Should we recommend to set Azure VM MTU to 1400?

Any difference about TCP and UDP fragmentation processing in azure platform?

Azure and VM MTU
The default MTU for Azure VMs is 1,500 bytes. The Azure Virtual Network stack will attempt to fragment a packet at 1,400 bytes.

Note that the Virtual Network stack isn't inherently inefficient because it fragments packets at 1,400 bytes even though VMs have an MTU of 1,500. A large percentage of network packets are much smaller than 1,400 or 1,500 bytes.

Azure and fragmentation
Virtual Network stack is set up to drop "out of order fragments," that is, fragmented packets that don't arrive in their original fragmented order. These packets are dropped mainly because of a network security vulnerability announced in November 2018 called FragmentSmack.

FragmentSmack is a defect in the way the Linux kernel handled reassembly of fragmented IPv4 and IPv6 packets. A remote attacker could use this flaw to trigger expensive fragment reassembly operations, which could lead to increased CPU and a denial of service on the target system.

---

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

• ID: d9e17ce9-1b86-b744-f5c8-c86db7267376
• Version Independent ID: 915a5706-f1ba-525e-a8dc-338574e3c3f7
• Content: TCP/IP performance tuning for Azure VMs
• Content Source: articles/virtual-network/virtual-network-tcpip-performance-tuning.md
• Service: virtual-network
• GitHub Login: @rimayber
• Microsoft Alias: rimayber

[rimayber]

I understand your point – but “probably not”. For a couple reasons. 1. We can’t control the internet path, so, unless you stay on microsoft network, then you’re likely to get fragmented somewhere along the way 2. Most packets are much smaller than 1400 or 1500 – so there’s no risk of fragmentation It’s probably best to take a position that “fragmentation isn’t bad”. And, I think there’s been a fix recently where Azure will correctly re-assemble out of order fragments – but customers have to opt-in to it. Thanks From: Alex_Yin <notifications@github.com> Sent: Tuesday, January 26, 2021 12:28 PM To: MicrosoftDocs/azure-docs <azure-docs@noreply.github.com> Cc: JR Mayberry <rimayber@microsoft.com>; Mention <mention@noreply.github.com> Subject: [MicrosoftDocs/azure-docs] MTU recommendation about Azure VMs (#69477) [Enter feedback here] In this article, it is mentioned Azure platform MTU is 1400 and out of order fragment will be droped due to Linux OS. Should we recommend to set Azure VM MTU to 1400? Any difference about TCP and UDP fragmentation processing in azure platform? Azure and VM MTU The default MTU for Azure VMs is 1,500 bytes. The Azure Virtual Network stack will attempt to fragment a packet at 1,400 bytes. Note that the Virtual Network stack isn't inherently inefficient because it fragments packets at 1,400 bytes even though VMs have an MTU of 1,500. A large percentage of network packets are much smaller than 1,400 or 1,500 bytes. Azure and fragmentation Virtual Network stack is set up to drop "out of order fragments," that is, fragmented packets that don't arrive in their original fragmented order. These packets are dropped mainly because of a network security vulnerability announced in November 2018 called FragmentSmack. FragmentSmack is a defect in the way the Linux kernel handled reassembly of fragmented IPv4 and IPv6 packets. A remote attacker could use this flaw to trigger expensive fragment reassembly operations, which could lead to increased CPU and a denial of service on the target system.

…

________________________________ Document Details ⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking. * ID: d9e17ce9-1b86-b744-f5c8-c86db7267376 * Version Independent ID: 915a5706-f1ba-525e-a8dc-338574e3c3f7 * Content: TCP/IP performance tuning for Azure VMs<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fvirtual-network%2Fvirtual-network-tcpip-performance-tuning%23azure-and-fragmentation&data=04%7C01%7Crimayber%40microsoft.com%7C7f1248fa823f4a261ab708d8c1bb1dd6%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637472356728791665%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=fybUeRJ5wzI3FOdpuIr7GJ6sdgNKhBOBOBXkA9llZW4%3D&reserved=0> * Content Source: articles/virtual-network/virtual-network-tcpip-performance-tuning.md<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FMicrosoftDocs%2Fazure-docs%2Fblob%2Fmaster%2Farticles%2Fvirtual-network%2Fvirtual-network-tcpip-performance-tuning.md&data=04%7C01%7Crimayber%40microsoft.com%7C7f1248fa823f4a261ab708d8c1bb1dd6%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637472356728801657%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=SZMPUakjIHKrfew7%2BTK8uST9GdmWCs0uwkGqzi3C0%2FY%3D&reserved=0> * Service: virtual-network * GitHub Login: @rimayber<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Frimayber&data=04%7C01%7Crimayber%40microsoft.com%7C7f1248fa823f4a261ab708d8c1bb1dd6%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637472356728806642%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=%2FOdzK%2FeHqRbzXBg78eZfYcI9Awc02ykO6HuZdvqRpSw%3D&reserved=0> * Microsoft Alias: rimayber — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FMicrosoftDocs%2Fazure-docs%2Fissues%2F69477&data=04%7C01%7Crimayber%40microsoft.com%7C7f1248fa823f4a261ab708d8c1bb1dd6%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637472356728811633%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=SrSQHB4B7nXqvRMV5CXiM%2BtQvwXMo8mJPqBD129M8ms%3D&reserved=0>, or unsubscribe<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FALVZVKPUDLGBFW6AGLSWOLDS3ZHFHANCNFSM4WS3XGAA&data=04%7C01%7Crimayber%40microsoft.com%7C7f1248fa823f4a261ab708d8c1bb1dd6%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637472356728816624%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=di%2BWjkNcCYycjRbda4640AMPgcQqQxWdgQp7BHgPvjg%3D&reserved=0>.

[yinoa]

thanks @rimayber.

I agree with "fragmentation is not bad", but still confusing with why Azure Virtual Network stack will attempt to fragment a packet at 1,400 bytes and then it might be dropped due to "out of order".

Given a more straightforward example: If there is an TCP/IP packet from internet to Azure, it is 1460 bytes (payload length) + 20 bytes (TCP header) + 20 Bytes (IP header) = 1500 Bytes ,

1. so azure platform will fragment it to two pieces 1400 + 60 ?
2. If those two fragmented packets reach to destinaiton in azure by "out of oder", it is possible to be dropped due to (Virtual Network stack is set up to drop "out of order fragments,") ?
3. if those "out of order" fragmented packets are coming from internet , I mean when they reach to azure destination, they will be dropped by azure due to the same reason?

[rimayber]

Well, the math about 1400 vs 1500 has to consider virtual network tunneling protocols adding encapsulation from the host. Adds more to the packet size. So, that is likely the reason for 1400. But, I think your assumptions are correct - although if you're trying to get exact technical detail, then we should ask expand audience. I believe this problem is specific to UDP. RNM TSG (eng.ms)<https://eng.ms/docs/cloud-ai-platform/azure/azure-core-networking/sdn/regional-network-manager/rnm-tsg/troubleshooting/enable-udp-fragment-reordering> From: Alex_Yin <notifications@github.com> Sent: Tuesday, January 26, 2021 5:55 PM To: MicrosoftDocs/azure-docs <azure-docs@noreply.github.com> Cc: JR Mayberry <rimayber@microsoft.com>; Mention <mention@noreply.github.com> Subject: Re: [MicrosoftDocs/azure-docs] MTU recommendation about Azure VMs (#69477) thanks @rimayber<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Frimayber&data=04%7C01%7Crimayber%40microsoft.com%7C7b26682fc2d144e1eee908d8c1e8d9c8%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637472553128055439%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=i3WxXxKb9yHbMksG3e8v4ZmXQaJnsgjY1vXOxdg0bn0%3D&reserved=0>. I agree with "fragmentation is not bad", but still confusing with why Azure Virtual Network stack will attempt to fragment a packet at 1,400 bytes and then it might be dropped due to "out of order". Given a more straightforward example: If there is an TCP/IP packet from internet to Azure, it is 1460 bytes (payload length) + 20 bytes (TCP header) + 20 Bytes (IP header) = 1500 Bytes , 1. so azure platform will fragment it to two pieces 1400 + 60 ? 2. If those two fragmented packets reach to destinaiton in azure by "out of oder", it is possible to be dropped due to (Virtual Network stack is set up to drop "out of order fragments,") ? 3. if those "out of order" fragmented packets are coming from internet , I mean when they reach to azure destination, they will be dropped by azure due to the same reason? - You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FMicrosoftDocs%2Fazure-docs%2Fissues%2F69477%23issuecomment-767464923&data=04%7C01%7Crimayber%40microsoft.com%7C7b26682fc2d144e1eee908d8c1e8d9c8%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637472553128060430%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=6eu5T8b1y2NFFOmCAGF%2FaxwnhatArs9W5rIqdLeZQrE%3D&reserved=0>, or unsubscribe<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FALVZVKNQVSCNNN6TVDZRE6DS32NQ3ANCNFSM4WS3XGAA&data=04%7C01%7Crimayber%40microsoft.com%7C7b26682fc2d144e1eee908d8c1e8d9c8%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637472553128065419%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=FDwJAGHkAoJD7%2BbN5vEIm3kK1cwArDjeEk7xiJyV%2FzA%3D&reserved=0>.

[yinoa]

Yes, the out of order fragmentation could occur in azure cloud due to multi-path. About TCP out of order fragmented packets, it seems we have reassable capability on azure destination and rare issue is reported for that.

But for UDP out of order fragmentated packets, we need to enable this UDP re-ordering flag for specific subscrition per region.

Just want to confirm if we have such difference for TCP and UDP, if yes, should we add more detailed description about azure drop "out of order" fragmentation packets?

Azure and fragmentation
Virtual Network stack is set up to drop "out of order fragments," that is, fragmented packets that don't arrive in their original fragmented order. These packets are dropped mainly because of a network security vulnerability announced in November 2018 called FragmentSmack.

[rimayber]

Can you propose changes or make the updates? From: Alex_Yin <notifications@github.com> Sent: Tuesday, January 26, 2021 8:15 PM To: MicrosoftDocs/azure-docs <azure-docs@noreply.github.com> Cc: JR Mayberry <rimayber@microsoft.com>; Mention <mention@noreply.github.com> Subject: Re: [MicrosoftDocs/azure-docs] MTU recommendation about Azure VMs (#69477) Yes, the out of order fragmentation could occur in azure cloud due to multi-path. About TCP out of fragmented packets, it seems we have reassable capability azure destination and rare issue is reported for that. But for UDP out of oder fragmentated packets, we need to enable this UDP re-ordering flag for specific subscrition per region. Just want to confirm if we have such difference for TCP and UDP, if yes, should we add more detailed description about azure drop "out of order" fragmentation packets? Azure and fragmentation Virtual Network stack is set up to drop "out of order fragments," that is, fragmented packets that don't arrive in their original fragmented order. These packets are dropped mainly because of a network security vulnerability announced in November 2018 called FragmentSmack. - You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FMicrosoftDocs%2Fazure-docs%2Fissues%2F69477%23issuecomment-767533419&data=04%7C01%7Crimayber%40microsoft.com%7C532c41f049ac4c9b6fe608d8c1fc6534%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637472637062453624%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=91OF7unVs5h3GCSwVFGTL2MxGnEouhN9v6JCKiYqmwE%3D&reserved=0>, or unsubscribe<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FALVZVKLEUCNJPS55PLVURHDS3255RANCNFSM4WS3XGAA&data=04%7C01%7Crimayber%40microsoft.com%7C532c41f049ac4c9b6fe608d8c1fc6534%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637472637062458621%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=sAoAy4OIlqXiv1PAKgkAEIJslZQULOLSUoqcQs5PAEU%3D&reserved=0>.

[yinoa]

According to the description of "Azure and fragmentation" part, the "out of order" fragments will be dropped.

Is it partially untrue?

If it is TCP "out of order" fragmented packets, azure destination can reassemable them and will not drop them.

If it is UDP "out of order" fragmented packets, it is by design azure destination will drop them. But we have option to enable "enable-udp-fragment-reordering" to reassemable those packets to avoid dropping.

[gideonoost]

Does this enable-udp-fragment-reordering option really exist? The only place I have found mention of this option is indeed in this thread? but nowhere else.

[hotgore]

Does this enable-udp-fragment-reordering option really exist? The only place I have found mention of this option is indeed in this thread? but nowhere else.

It does, I had to ask for it to resolve an issue with a UDP app. The support person wasn't sure about it until I linked this thread and was able to get rimayber to help.

It is weird, but I don't think MS wants to accept that fragmenting UDP results in tons of out of order packets on the other end, screwing with some apps. I wish they didn't bother fragmenting anything below 1400, seems like a great way to create weird problems.

[jackchenwork]

@hotgore could you please provide a bit information how to set this "enable-udp-fragment-reordering" option ? Troubleshooting a Radius EAP-TLS Authentication issue and seems it's related with IPSec to Azure and fragmented UDP datagram lost.

[rimayber]

Enable UDP Fragment Reordering on a Subscription - Overview (visualstudio.com)<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsupportability.visualstudio.com%2FAzureNetworking%2F_wiki%2Fwikis%2FANPTA%2520Wiki%2F444499%2FEnable-UDP-Fragment-Reordering-on-a-Subscription&data=04%7C01%7Crimayber%40microsoft.com%7C8ae92e13d49b4634e2f408d9efc92af4%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637804469675622068%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=0HdBWLlNsEtn6m3ScuyjWOmJBQMeyfgwezKCLpUMnWM%3D&reserved=0> Sent from Outlook<http://aka.ms/weboutlook> From: Jack Chen ***@***.***> Sent: Friday, March 11, 2022 7:47 AM To: MicrosoftDocs/azure-docs ***@***.***> Cc: JR Mayberry ***@***.***>; Mention ***@***.***> Subject: Re: [MicrosoftDocs/azure-docs] MTU recommendation about Azure VMs (#69477) @hotgore<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fhotgore&data=04%7C01%7Crimayber%40microsoft.com%7C45d5cf23d5d842a8855c08da02f8a7da%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637825564240951413%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=T2PyKMEBiRca%2B4uewifBJ5ujgmA%2B5pkUM8WBRg9pMdM%3D&reserved=0> could you please provide a bit information how to set this "enable-udp-fragment-reordering" option ? Troubleshooting a Radius EAP-TLS Authentication issue and seems it's related with IPSec to Azure and fragmented UDP datagram lost. - Reply to this email directly, view it on GitHub<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FMicrosoftDocs%2Fazure-docs%2Fissues%2F69477%23issuecomment-1064659272&data=04%7C01%7Crimayber%40microsoft.com%7C45d5cf23d5d842a8855c08da02f8a7da%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637825564240951413%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=BSan9hI%2BRh6%2Flcm6fzEfZpi1k3f1NenxOcN9yJWiz6g%3D&reserved=0>, or unsubscribe<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FALVZVKLCVMQJ3JWKKPUAW33U7KJYLANCNFSM4WS3XGAA&data=04%7C01%7Crimayber%40microsoft.com%7C45d5cf23d5d842a8855c08da02f8a7da%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637825564240951413%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=iR3je9UjxLHyrelWiqXHxs3vHiM5nmOANvIuhascI5Q%3D&reserved=0>. Triage notifications on the go with GitHub Mobile for iOS<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fapps.apple.com%2Fapp%2Fapple-store%2Fid1477376905%3Fct%3Dnotification-email%26mt%3D8%26pt%3D524675&data=04%7C01%7Crimayber%40microsoft.com%7C45d5cf23d5d842a8855c08da02f8a7da%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637825564240951413%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=br82G71yCGvJvMXd7lRzbVAgJ8SSO1lYXEB1pF5rX0o%3D&reserved=0> or Android<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fplay.google.com%2Fstore%2Fapps%2Fdetails%3Fid%3Dcom.github.android%26referrer%3Dutm_campaign%253Dnotification-email%2526utm_medium%253Demail%2526utm_source%253Dgithub&data=04%7C01%7Crimayber%40microsoft.com%7C45d5cf23d5d842a8855c08da02f8a7da%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637825564240951413%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=fv1yXMfjAdAYEp%2BI4Yj78u4QWsZ%2FUZYlUMuhjm38pYM%3D&reserved=0>. You are receiving this because you were mentioned.Message ID: ***@***.******@***.***>>

[jackchenwork]

Thanks @rimayber , I tried https://supportability.visualstudio.com/AzureNetworking/_wiki/wikis/ANPTA%20Wiki/444499/Enable-UDP-Fragment-Reordering-on-a-Subscription but I don't have access.

[rimayber]

Basically you need a support ticket to request it. The doc link is for internal support employees Sent from Outlook<http://aka.ms/weboutlook> From: Jack Chen ***@***.***> Sent: Friday, March 11, 2022 10:09 AM To: MicrosoftDocs/azure-docs ***@***.***> Cc: JR Mayberry ***@***.***>; Mention ***@***.***> Subject: Re: [MicrosoftDocs/azure-docs] MTU recommendation about Azure VMs (#69477) Thanks @rimayber<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Frimayber&data=04%7C01%7Crimayber%40microsoft.com%7C5e459c0376584e6eef7b08da030c76d7%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637825649315882223%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=IcwvTr%2BVja4TIvxNn5hvyLRb%2FZyeYjz0zX%2FliU%2FdDFY%3D&reserved=0> , I tried https://supportability.visualstudio.com/AzureNetworking/_wiki/wikis/ANPTA%20Wiki/444499/Enable-UDP-Fragment-Reordering-on-a-Subscription<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsupportability.visualstudio.com%2FAzureNetworking%2F_wiki%2Fwikis%2FANPTA%2520Wiki%2F444499%2FEnable-UDP-Fragment-Reordering-on-a-Subscription&data=04%7C01%7Crimayber%40microsoft.com%7C5e459c0376584e6eef7b08da030c76d7%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637825649315882223%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=J5%2BLduVOxDMCGcTHdrHSxxotaBdqeKQDNWxQlNlxzoY%3D&reserved=0> but I don't have access. - Reply to this email directly, view it on GitHub<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FMicrosoftDocs%2Fazure-docs%2Fissues%2F69477%23issuecomment-1064727597&data=04%7C01%7Crimayber%40microsoft.com%7C5e459c0376584e6eef7b08da030c76d7%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637825649315882223%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=PuemR7NNFjqfEzCoKof2CdkHuQVmvOthoLIyAUMVeiE%3D&reserved=0>, or unsubscribe<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FALVZVKO6OQNXU2QSO3IM4K3U7K2MDANCNFSM4WS3XGAA&data=04%7C01%7Crimayber%40microsoft.com%7C5e459c0376584e6eef7b08da030c76d7%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637825649315882223%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=05FlDF1gVP9RxLJRzgF%2FIyxES7ytMgTmV7hiOaXv0ww%3D&reserved=0>. Triage notifications on the go with GitHub Mobile for iOS<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fapps.apple.com%2Fapp%2Fapple-store%2Fid1477376905%3Fct%3Dnotification-email%26mt%3D8%26pt%3D524675&data=04%7C01%7Crimayber%40microsoft.com%7C5e459c0376584e6eef7b08da030c76d7%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637825649315882223%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=ZAjyNgUhgcqPYttLXwPbwt712OGr2IorKy8imkMpg1o%3D&reserved=0> or Android<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fplay.google.com%2Fstore%2Fapps%2Fdetails%3Fid%3Dcom.github.android%26referrer%3Dutm_campaign%253Dnotification-email%2526utm_medium%253Demail%2526utm_source%253Dgithub&data=04%7C01%7Crimayber%40microsoft.com%7C5e459c0376584e6eef7b08da030c76d7%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637825649315882223%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=u33Lvv2SorLsepLH6N5JPQ4TA6kbzJSq95mQ0agUm90%3D&reserved=0>. You are receiving this because you were mentioned.Message ID: ***@***.******@***.***>>

[plessisa]

Basically you need a support ticket to request it. The doc link is for internal support employees
Hi @rimayber,

I open a support ticket for "enable-udp-fragment-reordering".
So far, support allowed me to "enable-udp-fragment-reordering" only on the VM Public IP inbound Traffic. When using an Azure Load Balancer or a VPN via a Virtual Network Gateway, the fragment are still dropping.

Best,

[nibanks]

I was just informed of this discussion, and I would tend to disagree with "fragmentation is not bad." It causes a whole host of issues, for which the entire QUIC protocol (built on UDP and the really the next protocol for the internet) has taken the stance to set the "Don't Fragment" bit to make sure fragmentation doesn't happen.

But to that end, does the Azure network stack fully respect this bit? Or is there some virtualization layer that does some kind of fragmentation regardless? If so, that's really bad.

BTW, I don't understand the reasoning for this claim: "Most packets are much smaller than 1400 or 1500 – so there’s no risk of fragmentation". Generally, smart protocols will dynamically discover the largest MTUs that "work". But if the network fragments the larger MTUs it ends up causing more problems...

[vbrozik]

@nibanks I agree. These statements seem to be fabricated. They are not supported by real data:

• "fragmentation is not bad."
• "Most packets are much smaller than 1400 or 1500 – so there’s no risk of fragmentation"

In the same sense have commented an issue which was closed without any sound reasoning: #65888 (comment)

---

...the entire QUIC protocol ... has taken the stance to set the "Don't Fragment" bit to make sure fragmentation doesn't happen.

Are you sure? The "Don't Fragment" bit is normally being set by the operating system as part of the Path MTU Discovery algorithm.

[nibanks]

Are you sure? The "Don't Fragment" bit is normally being set by the operating system as part of the Path MTU Discovery algorithm.

About what part? The OS is involved in TCP based communication and may use the Don't Fragment bit when doing PMTUD, yes. When it's done in QUIC, the OS isn't necessarily involved in anything more than providing a UDP socket. Then, it's the app layer that's telling the UDP socket to set the Don't Fragment bit.

[fedda-no]

UDP Fragmentation is a pain in Azure, I have special a problem with EAP-TLS in Radius UDP packet:

1. Standard Azure VNet drops all EAP TLS where UDP packet get fragmented (NAS to Radius) when the NAS encapsulate the client certificate in the UDP packet (it needs to be fragmented), Azure drops this (NAS logs it with: Radius Server Dead, Radius server: Not Response from NAS).

• This is for ALL radius traffic traversing Azure, example if you use Azure VWAN, Site to Azure, and Azure Express to Onprem DC (where Radius is hosted), UDP packet get "dropped".

2. Initial fix for this is to:
   • Get Azure to enable enable-udp-fragment-reordering.
3. However I still have problem if I host example Cisco ISE 3.2 in Azure, where I experience that Azure Vnet drops the "server certificate response", again, Cisco ISE 3.2 deployed from marked space are setup with standard MTU of 1500, where we see randomly that Azure still dropping the radius response from Cisco ISE. NAS reports: Radius Server dead jump to next radius server in list, ISE Response to the next request: Authentication process already in process and drops the request. But this problem are random, not consistent as From private repo #1.

• Fix in progress, trying to change the MTU on the Cisco ISE server in Azure to 1400, to prevent any form for fragmentation to occur on the Radius response (special when Radius has to encapsulate the server certificate in response = needs to fragment the packet, not 100% sure if the resolves the problem.

So a final rule of thumb, running 802.1x EAP traffic, Radius server in Azure or sending 802.1x radius traffic through Azure you have to be very, very careful, due to the UDP fragmentation issue / rules in Azure breaking the RFC.

Microsoft should make sure that Azure vNet follows the RFC, and not blame it on some "security reason here and there" breaking the entire UDP stack. If they have a problem with the RFC in the UDP protocol, then work on changing the RFC.

[jackchenwork]

@fedda-no I had same problem using FortiAuthenticator as Radius server, Fortigate as site2site VPN server in Azure. EAP-TLS cert based authentication some time work, sometime not, reason is fragmented UDP datagram got lost. Fortigate has a "set ip-fragmentation pre-encapsulation" option and that ( plus reduce MTU) fixed the problem for me.

[hotgore]

UDP Fragmentation is a pain in Azure, I have special a problem with EAP-TLS in Radius UDP packet:

1. Standard Azure VNet drops all EAP TLS where UDP packet get fragmented (NAS to Radius) when the NAS encapsulate the client certificate in the UDP packet (it needs to be fragmented), Azure drops this (NAS logs it with: Radius Server Dead, Radius server: Not Response from NAS).


* This is for ALL radius traffic traversing Azure, example if you use Azure VWAN, Site to Azure, and Azure Express to Onprem DC (where Radius is hosted), UDP packet get "dropped".


2. Initial fix for this is to:
   
   * Get Azure to enable enable-udp-fragment-reordering.

3. However I still have problem if I host example Cisco ISE 3.2 in Azure, where I experience that Azure Vnet drops the "server certificate response", again, Cisco ISE 3.2 deployed from marked space are setup with standard MTU of 1500, where we see randomly that Azure still dropping the radius response from Cisco ISE. NAS reports: Radius Server dead jump to next radius server in list, ISE Response to the next request: Authentication process already in process and drops the request.  But this problem are random, not consistent as [From private repo #1](https://github.com/MicrosoftDocs/azure-docs/pull/1).


* Fix in progress, trying to change the MTU on the Cisco ISE server in Azure to 1400, to prevent any form for fragmentation to occur on the Radius response (special when Radius has to encapsulate the server certificate in response = needs to fragment the packet, not 100% sure if the resolves the problem.

So a final rule of thumb, running 802.1x EAP traffic, Radius server in Azure or sending 802.1x radius traffic through Azure you have to be very, very careful, due to the UDP fragmentation issue / rules in Azure breaking the RFC.

Microsoft should make sure that Azure vNet follows the RFC, and not blame it on some "security reason here and there" breaking the entire UDP stack. If they have a problem with the RFC in the UDP protocol, then work on changing the RFC.

Did changing the MTU fix the issue?

[asudbring]

Thank you for you dedication to our documentation.

Unfortunately, we have been unable to review this issue in a timely manner. We sincerely apologize for the delayed response. We are closing this issue. If you feel that the problem persists, please respond to this issue with additional information.

Please continue to provide feedback about the documentation. We appreciate your contributions to our community.

#please-close

[gideonoost]

How is this issue resolved?

…

On Fri, Mar 17, 2023 at 7:57 PM Allen Sudbring ***@***.***> wrote: Thank you for you dedication to our documentation. Unfortunately, we have been unable to review this issue in a timely manner. We sincerely apologize for the delayed response. We are closing this issue. If you feel that the problem persists, please respond to this issue with additional information. Please continue to provide feedback about the documentation. We appreciate your contributions to our community. #please-close — Reply to this email directly, view it on GitHub <#69477 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AA74HIPEBNRDAGTYQX46K2LW4SX3BANCNFSM4WS3XGAA> . You are receiving this because you commented.Message ID: ***@***.***>

[gideonoost]

Can you enlighten me as to how exactly this issue is "resolved"?

…

On Fri, Mar 17, 2023 at 7:57 PM Allen Sudbring ***@***.***> wrote: Thank you for you dedication to our documentation. Unfortunately, we have been unable to review this issue in a timely manner. We sincerely apologize for the delayed response. We are closing this issue. If you feel that the problem persists, please respond to this issue with additional information. Please continue to provide feedback about the documentation. We appreciate your contributions to our community. #please-close — Reply to this email directly, view it on GitHub <#69477 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AA74HIPEBNRDAGTYQX46K2LW4SX3BANCNFSM4WS3XGAA> . You are receiving this because you commented.Message ID: ***@***.***>

[fedda-no]

In my case, you have to triple check that Azure Support actually have enable in the vnet / vwan setup. My problem was that Azure support said it was, when in reality it wasn’t, and after getting another SME they finally got it enable correctly. Get Azure Support to enable enable-udp-fragment-reorderingThen you do not need to play around with mtu size etc…Regards,Fredrik E. Jensen17. mar. 2023 kl. 20:01 skrev gideonoost ***@***.***>: Can you enlighten me as to how exactly this issue is "resolved"?

On Fri, Mar 17, 2023 at 7:57 PM Allen Sudbring ***@***.***> wrote: Thank you for you dedication to our documentation. Unfortunately, we have been unable to review this issue in a timely manner. We sincerely apologize for the delayed response. We are closing this issue. If you feel that the problem persists, please respond to this issue with additional information. Please continue to provide feedback about the documentation. We appreciate your contributions to our community. #please-close — Reply to this email directly, view it on GitHub <#69477 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AA74HIPEBNRDAGTYQX46K2LW4SX3BANCNFSM4WS3XGAA> . You are receiving this because you commented.Message ID: ***@***.***>

—Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you were mentioned.Message ID: ***@***.***>

[hotgore]

Issue is not resolved.

Funny that Microsoft requires customers to ask for a secret flag to fix their broken network design. Yeah, build the network on GRE in a way so customers can't use GRE themselves, keep the MTU default so you have to fragment, and then take a stateless protocol, fragment it and deliver the fragments out of order. No one in the world would think that fragmenting UDP packets and delivering them out of order is a good idea. When customers complain their only option is the secret code word whereby the customer can't actually verify it is enabled. This idiocy will only get worse as more and more protocols use UDP (QUIC).

[neilyoung]

I'm having a problem with an RTSP server, which emits RTP payload at maximum 1472 bytes. This renders to max 1514 bytes on ETH, surely too big for MTU 1500. I traced the output of the Azure network interface I have access to and found, that all UDP packages left with Don't fragment bit set. In result the RTSP client couldn't successfully fetch RTSP via UDP, while TCP/TLS worked fine.

I managed to convince the nice developer to provide me a means to reduce the RTP payload size. And already the first attempt was a success (payload 1400). I think the max RTP payload is somewhat like 1458, wich in turn would render to ETH 1500. Don't fragment is still set, but the packages "come through" now.

Full story bluenviron/mediamtx#1588

Not sure, why everybody says Azure fragments at 1400...

[maZuFC]

UDP Fragmentation is a pain in Azure, I have special a problem with EAP-TLS in Radius UDP packet:

1. Standard Azure VNet drops all EAP TLS where UDP packet get fragmented (NAS to Radius) when the NAS encapsulate the client certificate in the UDP packet (it needs to be fragmented), Azure drops this (NAS logs it with: Radius Server Dead, Radius server: Not Response from NAS).

• This is for ALL radius traffic traversing Azure, example if you use Azure VWAN, Site to Azure, and Azure Express to Onprem DC (where Radius is hosted), UDP packet get "dropped".

2. Initial fix for this is to:

   • Get Azure to enable enable-udp-fragment-reordering.

3. However I still have problem if I host example Cisco ISE 3.2 in Azure, where I experience that Azure Vnet drops the "server certificate response", again, Cisco ISE 3.2 deployed from marked space are setup with standard MTU of 1500, where we see randomly that Azure still dropping the radius response from Cisco ISE. NAS reports: Radius Server dead jump to next radius server in list, ISE Response to the next request: Authentication process already in process and drops the request. But this problem are random, not consistent as From private repo #1.

• Fix in progress, trying to change the MTU on the Cisco ISE server in Azure to 1400, to prevent any form for fragmentation to occur on the Radius response (special when Radius has to encapsulate the server certificate in response = needs to fragment the packet, not 100% sure if the resolves the problem.

So a final rule of thumb, running 802.1x EAP traffic, Radius server in Azure or sending 802.1x radius traffic through Azure you have to be very, very careful, due to the UDP fragmentation issue / rules in Azure breaking the RFC.

Microsoft should make sure that Azure vNet follows the RFC, and not blame it on some "security reason here and there" breaking the entire UDP stack. If they have a problem with the RFC in the UDP protocol, then work on changing the RFC.

for me... your 'fix in progress' is what resolve our auth issues. Setting the MTU on the ISE node to 1300 did the trick.
initial testing is good and as long as nothign breaks with the mtu at 1300 then we will leave it as that. We only use ISE for 802.1x.