I have a GRE/IPSEC tunnel going from a local ASR to one of our remote sites and I'm seeing a ton of reassembly on the remote end. When looking at the IPSEC SA from the ASR I noticed some of the SA's are using the physical WAN interface and some are using the virtual tunnel interface for their MTU size. I don't think this is my problem, it just struck my curiousity and couldn't find any documentation on it. I think I am running into fragmentation due to the egress interface MTU for the tunnel traffic. The IP MTU on the tunnel is 1350 while the egress interface is 1500. We have another site which is setup identically to this one except the ASR's egress interface is set to 1550 IP MTU. I've read that the GRE header adds 24 bytes but can't find an easy answer to how much the IPSEC encapsulation would add.
The IPsec overhead is 'complicated' to calculate (depending on chosen cipher suite and original packet length). Hence you'd need to have calculator of some sort, several folks wrote those, we have one internally written by a colleague.
It is safe to assume that overhead will be around 100 bytes (for GRE over IPsec) , newer IOS will calculate that for you too. It's a stretch, but we'd rather have lower MSS than deal with fragmentation.
But regardless, you will see very often in our reference configuration that MTU is set to 1400, and a matching MSS of 1360.
Fragmentation/reassambly is an popular, remember that when you set MTU you NEED to set also MSS (MTU - 40 = MSS).
Another thing is (tunnel) PMTUD, while it's typically broken over internet, it is one of my favorites, it helps detect and diagnose problems early in the deployment rather than dealing with it later on.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :