Total Output drops (Input Queue) on GRE tunnel interface
Total Output drops (Input Queue) on GRE tunnel interfaceWe've experienced "output drops" on GRE tunnel interfaces with IPSec. The WAN link for carrying GRE traffic is not even congested and the CPU utilization of the router is under 10%. The router model is a Cisco 7206VXR.
description Primary Hub DMVPN Tunnel
ip address 172.16.x.x 255.255.255.0
no ip redirects
ip mtu 1400
ip flow ingress
no ip next-hop-self eigrp 111
ip nhrp authentication xiysdjn
ip nhrp map multicast dynamic
ip nhrp network-id 798356
ip nhrp holdtime 120
no ip split-horizon eigrp 111
tunnel source Loopback0
tunnel mode gre multipoint
tunnel key 195532
tunnel protection ipsec profile VPNprofile
hold-queue 3000 in
hold-queue 4096 out
PAPPAPAP#sh int tu 0
Tunnel0 is up, line protocol is up
Hardware is Tunnel
Description: Primary Hub DMVPN Tunnel
Internet address is 172.16.X.X/24
MTU 1514 bytes, BW 155000 Kbit/sec, DLY 1000 usec,
Re: Total Output drops (Input Queue) on GRE tunnel interface
One of the common output drop reasons on the tunnel interface would be PMTUD, ie., when a packet larger than 1400 bytes arrive on the input interface with the DF bit set, the router would drop this packet and send back out an icmp 3/4 message to perform PMTUD. These drops would be accounted for as output drops on the tunnel. You can verify this by doing a "debug ip icmp" on the router, or look at the icmp statistics under "show ip traffic" for icmp unreachables sent.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...