Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

gre/ipsec fragmentation issues - clarification on possible solutions?

Fellow Engineers,

I was recently reading a cisco documentation discussing solutions to minimize/avoid fragmentation issues with ipsec and gre and was hoping just to get some further clarification. My understanding is that there are 3 major solutions that can be implemented on the router, including clearing the DF bit, setting the gre mtu to accomadate the overhead, or utilizing the "ip tcp adjust-mss" command.

It is my understanding that the "ip adjust-mss", if applied to the gre tunnel interfaces will ensure that all tcp connections through the tunnel will only agree to a maximum segment size specified in the command. With this solution a host using the vpn tunnel for transport will only agree to a maximum segment size specified on the router and will not send ip packets to the router with a larger ip data payload than specified therfore avoiding any fragmentation unless there is a data link along the vpn path that has a mtu smaller than the outbound interface of the router.

Secondly, in comparision, if I chose the adjust the gre tunnel interface ip mtu I would just need to choose a value to accomadate the gre and ipsec overhead so that packets would not have to be fragmented after encryption. Packets that are to large for the outbound interface would still be fragmented upon reaching the gre interface but avoid being dropped at the outbound physical interface.

I'm under the conclusion that if your running at least IOS 12.2(4)T, using the TCP MSS command would always be the best choice because of the complete elimination of the fragmentation both before the encryption and after the encryption unless there is a small mtu somewhere out in the network along the vpn path. The ip mtu command on the gre interface would only be needed for traffic not utilizing tcp. DF bit solution would be appropriate when traffic with df bit is being sent to the router.

In conclusion, would it be a true statement to say that to maximize throughput you would want to use the TCP MSS command when possible, but the mtu would still to be lowered on the gre interface to allow for proper fragmentation of non tcp traffic?

any clarification/thoughts are appreciated,



Re: gre/ipsec fragmentation issues - clarification on possible s

Another option would be to reduce the client's mtu size to be 1476, which would force the send max segment size to be smaller. Depending on the number of clients you have on your ethernet segment, this might not be feasible since you would want to make the changes on all the devices on that segment.

CreatePlease to create content