Thursday, October 23, 2014

Fix: Unable to open some websites on ADSL internet connection

Unable to open some websites on your ADSL internet connection? I came across this problem when I couldn't open irctc.co.in on my BSNL internet connection. This post explains why some websites fail to load on ADSL connections and how to work around the problem.

The figure below shows how some websites fail to load.

Path MTU discovery failure

The client (your computer) tries to connect to the server with the maximum packet size (or Maximum Transmission Unit - MTU) that the link between the host and the router can handle (for ethernet, this is 1500 bytes). The server responds that it can handle 1500 bytes, and the connection is made. Neither the client nor the server are aware of a link in the path where the MTU is less than 1500 bytes. The host and the server have no issues with sending/receiving packets of size less than 1492 bytes. 

When a packet of size 1500 bytes is sent from the server to the host, the ADSL link, which has a 1492 byte MTU cannot transmit this packet, and an ICMP error message is sent to the server informing it that the packet size is too large and that it should reduce the packet size and retry. This is where the problem arises. Many networks are incorrectly configured to block all ICMP traffic in the hope of thwarting Denial-of-Service (DoS) attacks. Unfortunately, blocking all ICMP traffic also breaks path MTU discovery. The ICMP message that tells the server that the packet is too large never reaches the server, and the server has no idea why packets aren't reaching the host. This is why some websites fail to load, and this is also why, sometimes, text on web pages loads, but not the images. Smaller packets get through the ADSL link without problems, but larger packets don't. After a long time, the server might see that too many packets are being dropped and might try reducing the packet size. But, it usually takes too long (> 1 minute) for this to happen, and the browser will likely have timed out by then.

Workarounds:

- Use a router that can perform Maximum Segment Size (MSS) clamping. These routers can inspect outgoing packets, and lower the MSS value advertised in TCP SYN packets if it is larger than the specified MSS. This way, the server will never send large packets that might be dropped, and it won't matter that it blocks all ICMP traffic. This solution violates the end-to-end principle and is an ugly hack. But, it works well for home users. The figure below depicts how this works.

MSS Clamping

- If your router can't perform MSS clamping or if its implementation is broken, the MTU size may be manually reduced in every host connected to the network. Lower the MTU from the 1500 byte default to 1480 bytes or 1400 bytes in all computers connecting to the network. When the MTU is lowered, the MSS advertised in TCP SYN packets also goes down. Like the previous work-around, the server will then never send large packets that the network might drop. While this is possible on desktops and laptops, smartphones may not have an option to lower the MTU.

The client manually configured to use a smaller MTU

On Windows, you can lower the MTU size by opening a command prompt with administrative privileges (Start -> type "cmd" without quotes -> right-click on "cmd.exe" -> run as an administrator).


Enter the following command (change the LAN connection name if needed), and restart the computer.


netsh interface ipv4 set subinterface "Local Area Connection" mtu=1400 store=persistent

On Ubuntu, Edit Network connection -> Change MTU to 1400 bytes in the "Ethernet" tab. Restart the computer.

Notes: 

- MTU size is the size of the IP packet including the IP headers (20 bytes) and TCP headers (20 bytes), whereas MSS is the size of the data in the packet. Since headers are not counted when calculating MSS, the MSS will be MTU - 40 bytes. For ADSL connections, since the MTU size is usually 1492 bytes, the MSS should be 1452 bytes (or lower). 

- It might be the case that your router is also not sending back to the host ICMP "packet too large" messages when the host sends an outgoing message that is too large. Such a router is called a "black-hole" router.

"Black-hole" router drops large packets and doesn't send an error message

If you have such a router, consider replacing it or upgrading the firmware. In the meantime, the workaround described in this post will do.

1 comment:

  1. Dear Sagar,

    Thanks a lot for addressing this nagging problem I am having ever since I started using Ubuntu. I have Ubuntu 14.04 installed alongside windows 7. Surprisingly, things work in windows but not in Ubuntu. That is, I can open IRCTC in windows but not in UBUNTU. I actually followed your instruction of reducing the MTU to 1400 byte manually for UBUNTU. It still didn't work. In that case I have what you have called "black-hole router". But then why does it work in windows ?

    Your thoughts on this will be very important.

    Thanks again
    Sanjoy

    ReplyDelete