Problems with MTU when using gre o/ ipsec on pppoe connection

Unanswered Question
Jan 6th, 2012
User Badges:


Im having some problems with a DMVPN connection on a Cisco 876.

It is connected to an ADSL line with PPPoE dialer.

The pppoe is 8 byte overhead and the DMVPN is 24 byte, which should be 1468 MTU.

However, i also have configured ipsec tunnel mode (default ios) on this and because of ipsec im having troubles doing the mtu math for max MTU on packets leaving/received on the tunnel interface. Configuration is as follow:

interface Tunnel xx

ip address x.x.x.x x.x.x.x

ip nhrp authentication xxxx

ip nhrp map multicast x.x.x.x

ip nhrp map x.x.x.x x.x.x.x

ip nhrp network-id 10

ip nhrp holdtime 300

ip nhrp nhs x.x.x.x

ip virtual-reassembly

tunnel source DialerX

tunnel mode gre multipoint

tunnel key xxxxx

tunnel protection ipsec profile vpnprof

crypto isakmp policy 1

authentication pre-share

crypto isakmp key xxxxxxx address x.x.x.x x.x.x.x



crypto ipsec transform-set dmvpn-trans esp-3des esp-sha-hmac


crypto ipsec profile vpnprof

set transform-set dmvpn-trans

  1. How much MTU is max size i can get through here?
  2. And what would the optimal mtu be here?
  3. Should the Dialer interface be configured with any ip mtu at all? Its configured with "ip mtu 1492" in my configuration.
  4. Also, any good optimal tcp adjust-mss size?

Any help would be appreciated!


Kristian Brown

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Marcin Latosiewicz Fri, 01/06/2012 - 05:35
User Badges:
  • Cisco Employee,


Typically DMVPN tunnel MTU is set to 1400 for connections with around 1500 byte MTU.

MSS = MTU - 40 (no IP options) = 1360 in that case.

Also - if possible use transport mode for your DMVPN tunnel, IOS is smart enough to fallback from transport to tunnel when needed and you will save a few bytes ;-)



This Discussion