I am working in a DMVPN environment with two HUB and 25 Spoke routers. There are mGRE tunnels everywhere with the same basic configuration. There are also attached in WAN Serial & ADSL interfaces Extended Access Lists permitting only the esp and ISAKMP (udp 500) packets. Every day in the Primary HUB router I see the following log messages:
Dec 03 08:52:57 172.16.250.2 2528762: Dec 3 08:52:44.143: %SEC-6-IPACCESSLOGDP: list WAN denied icmp 10.195.35.30 -> 192.168.192.1 (11/1), 13 packets
Dec 03 08:52:57 172.16.250.2 2528763: Dec 3 08:52:44.143: %SEC-6-IPACCESSLOGDP: list WAN denied icmp 10.195.35.26 -> 192.168.192.1 (11/1), 8 packets
Dec 03 08:52:57 172.16.250.2 2528764: Dec 3 08:52:44.143: %SEC-6-IPACCESSLOGDP: list WAN denied icmp 10.195.35.82 -> 192.168.192.1 (11/1), 1 packet
Dec 03 08:53:57 172.16.250.2 2528765: Dec 3 08:53:44.148: %SEC-6-IPACCESSLOGDP: list WAN denied icmp 10.195.35.78 -> 192.168.192.1 (11/1), 8 packets
The source IP Addresses are the WAN IP addresses of all Spoke routers and the IP address 192.168.192.1 is the Loopback IP address of Primary HUB router. Similar log messages I see in every Spoke router, with source IP Address the Primary HUB WAN Interface and destination IP Addresses the Loopback IP Addresses of all other Spoke routers. As far I know there is no any fragmentation issue, and everything works fine. But the answer remains:
Where these ICMP packets come from?
Can anyone help me answer this question?
Thanks in advance!
I got my reply from the developers, and they pointed out an error that I had
in my overhead byte calculation.
So with GRE(tunnel_key)+AH+ESP(AES)+ESPauth IPsec transport mode,
a 1400 byte clear text packet will end up being 1504 bytes after encapsulation
and encryption. So you definitely need to lower your IP MTU. Again I would
recommend 'ip mtu 1380' and 'ip tcp adjust-mss 1340'. A 1380 byte clear text
packet will end up being 1472 bytes (encapsuleated+encrypted). This will
give you a little extra room in case there are other overheads, like NAT-T
(8 bytes) or PPP-E (8 bytes).
Note, I was thinking about your dialer interface. I think you want to use
'ip mtu 1492' and 'ip tcp adjust-mss 1452'. I think there is only 8 bytes
of overhead, unless your Dialer is for some reason using more.