cloudflare
diff --git a/‎src/assets/images/magic-transit/mtu-mss/ipsec-mss.png‎
83.6 KB b/‎src/assets/images/magic-transit/mtu-mss/ipsec-mss.png‎
83.6 KB
diff --git a/‎src/assets/images/magic-transit/mtu-mss/tcp-mss.png‎
80.6 KB b/‎src/assets/images/magic-transit/mtu-mss/tcp-mss.png‎
80.6 KB
diff --git a/‎src/content/partials/magic-transit/mtu-mss/mt-dsr.mdx‎
Lines changed: 5 additions & 1 deletion b/‎src/content/partials/magic-transit/mtu-mss/mt-dsr.mdx‎
Lines changed: 5 additions & 1 deletion
@@ -6,12 +6,16 @@ Asymmetric routing is a common scenario especially with Magic Transit. Ingress t
 
 In an asymmetric scenario, we want to reduce the MSS value of packets sent by Magic Transit users to the Internet in order to reduce the size of packets sent from the Internet towards their network. To accomplish this, the configuration must be done either on the customer's end-hosts or through an MSS clamp on an intermediary device on the egress path of traffic leaving their network. How MSS values affect payload sizes on both routing paths is detailed below.
 
-![A diagram how MSS works with Magic Transit and Direct Server Return.](~/assets/images/magic-transit/mtu-mss/dsr.png)
+![A diagram showing how MSS works with Magic Transit and Direct Server Return.](~/assets/images/magic-transit/mtu-mss/dsr.png)
 
 _Key takeaway from the chart above: MSS clamping affects TCP packet payload sizes flowing in the opposite direction vs. where the clamp is applied._
 
 ## Tunnel-in-tunnel scenario with Magic Transit
 
 MSS clamping only affects TCP traffic. If, for example, you have a web server on your Magic Transit prefix, then the MSS clamp will take effect on the TCP data from direct server return traffic. However, be aware that you will have to take a different approach for any tunnels inside of your Magic Transit tunnel (tunnel-in-tunnel scenario).
 
+![A diagram showing where the MSS clamp goes with TCP traffic.](~/assets/images/magic-transit/mtu-mss/tcp-mss.png)
+
 For example, if you have a Magic Transit GRE tunnel set up, and then another IPsec or GRE tunnel running from third-party devices on your premises, MSS clamp will have no impact on the outer packets of the encapsulated traffic. This is because MSS clamping affects only TCP traffic, and IPsec/GRE encapsulated traffic is IP. For this scenario, you will have to lower the MTU of the internal tunnel interface further, both for your ingress and egress traffic.
+
+![A diagram showing where the MSS clamp goes with an IPsec tunnel inside a GRE tunnel.](~/assets/images/magic-transit/mtu-mss/ipsec-mss.png)