Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IPSEC SA ip mtu idb interface?


What is the ip mtu idb interface under the "show crypto ipsec sa" command output in IOS?  How is this interface determined?      



New Member

IPSEC SA ip mtu idb interface?

Anybody have any idea how the "ip mtu idb interface" is determined?

Cisco Employee

IPSEC SA ip mtu idb interface?

It's determined by source of crypto, with a few nice twists.

Spoke1#show run int tu1 | i mtu

ip mtu 1400

Spoke1#sh run int e0/0 | i mtu

Spoke1#show crypto ipsec sa | i mtu

     path mtu 1400, ip mtu 1400, ip mtu idb Tunnel1

     path mtu 1500, ip mtu 1500, ip mtu idb Ethernet0/0


What are you trying to figure out exactly?

New Member

IPSEC SA ip mtu idb interface?

I have a GRE/IPSEC tunnel going from a local ASR to one of our remote sites and I'm seeing a ton of reassembly on the remote end.  When looking at the IPSEC SA from the ASR I noticed some of the SA's are using the physical WAN interface and some are using the virtual tunnel interface for their MTU size.  I don't think this is my problem, it just struck my curiousity and couldn't find any documentation on it.  I think I am running into fragmentation due to the egress interface MTU for the tunnel traffic.  The IP MTU on the tunnel is 1350 while the egress interface is 1500.  We have another site which is setup identically to this one except the ASR's egress interface is set to 1550 IP MTU.  I've read that the GRE header adds 24 bytes but can't find an easy answer to how much the IPSEC encapsulation would add.

Cisco Employee

IPSEC SA ip mtu idb interface?


The IPsec overhead is 'complicated' to calculate (depending on chosen cipher suite and original packet length). Hence you'd need to have calculator of some sort, several folks wrote those, we have one internally written by a colleague.

It is safe to assume that overhead will be around 100 bytes (for GRE over IPsec) , newer IOS will calculate that for you too. It's a stretch, but we'd rather have lower MSS than deal with fragmentation.

But regardless, you will see very often in our reference configuration that MTU is set to 1400, and a matching MSS of 1360.

Fragmentation/reassambly is an popular, remember that when you set MTU you NEED to set also MSS (MTU - 40 = MSS).

Another thing is (tunnel) PMTUD, while it's typically broken over internet, it is one of my favorites, it helps detect and diagnose problems early in the deployment rather than dealing with it later on.

Just figured I'd get this out there.


CreatePlease login to create content