I believed I had properly accounted for the IPSEC/mGRE overhead on my Tunnel interface settings (IP MTU and MSS), but was experience high CPU utilization (IP Input) due to fragmentation and reassembly.
Below are the overhead calculations I used originally;
* mGRE - 28 bytes (24 for GRE plus additional 4 for DMVPN Key)
* IPSEC - 60 (SHA/AES)
* TCP Header - 20
* IP Header - 20
Total - 1372 which would be the MSS number I would use.
Following Best Practic recommendations, I even lowered my MSS number to come up with the following original Tunnel confg;
ip mtu 1400
ip tcp adjust-mss 1360
I was still experiencing fragmentation / reassembly until I changed to the following;
ip mtu 1372
ip tpc adjust-mss 1332
What was I missing in my original calculations or did I misunderstand how I would use the resulting number (MTU instead of MSS) from my calculations?