Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

VPN Errors



i am facing VPN poor performs  issue. My VPN tunnel is up but found some errors in the out-put of #crypto ipsec sa x.x.x.x.


Is "crypto ipsec df-bit clear" command will resolve the issue, or its something different error. 


Thanks for your help.



#pkts encaps: 380615580, #pkts encrypt: 380615589, #pkts digest: 380615589
      #pkts decaps: 254831969, #pkts decrypt: 254831969, #pkts verify: 254831969
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 380615580, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 8, #pre-frag failures: 0, #fragments created: 17
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #TFC rcvd: 0, #TFC sent: 0
      #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
      #send errors: 0, #recv errors: 2539





I don't think this will

I don't think this will resolve the issue.  If you use this command then no path MTU is performed and the DF bit in the IPSec header is set to 0 and packet is fragmented if required. The default behavior is to copy the DF bit from the IP packet to the IPSec header and by default routers do not set DF bit that means its already 0. you router is already performing fragmentation.

Work around:

1. Either decrease the mtu and mss on your tunnel interface.

Router(config)# interface tunnel 1

Router(config-if)# ip tcp adjust-mss 1360

Router(config-if)# ip mtu 1400

2. Or you can use "crypto ipsec fragmentation before-encryption"

The Pre-fragmentation for IPsec VPNs feature increases the decrypting router's performance by enabling it to operate in the high-performance CEF path instead of the process path. If the routers are performing fragmentation on behalf of the source node, it may be desirable to have the encryption performed prior to encryption. This prevents the destination tunnel router from having to reassemble the fragments and then perform the decryption.It will reduce the CPU overhead.

2. Errors should not increment. Check your config if these errors increment. 

Also try to debug your ipsec sa to see what is causing these errors. 



"Please rate helpful posts"