I have a dual DMVPN setup which works fine, apart from a performance issue. Its probable that this is a packet fragmentation issue as I'm seeing many reassambled fragments on my encryption routers. The IP MTU value on the tunnel is 1436, as recommend by R Deal in his VPN configuration guide. If I remove the IP MTU 1436 command, and let IOS select its own value that returns 1472 for IP MTU.
Reading up on Cisco.com various values are mentioned, 1400, and 1440. As this is a production network under change control I'm after recommendations from other working networks, to get this fixed.
I'm also using MSS adjustment for TCP setting a value of 1360, and have a route-map to clear the DF bit in TCP and UDP frames.
I'm using IPSec transport mode, and there are no NAT boundaries for the IPSec to cross.
if iam right as you are already MSS, then the maximum size of your TCP packets will not exceed 1400 so MTU becomes irrelevant completely. Are you still having problems with applications ? Did you try using PMTUD ?
Although I don't have a problem with MTU as such, performance is an issue. I believe this can be improved by tuning MTU configuration even if it's a little bit. Did you manage to reach optimal working figures and settings for MTU on DMVPN?
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :