A client of ours has Cisco 1811's on each side of a Metro E link. I don't have access to them, but had the client dump some of the output. I'm seeing a tunnel interface setup on each router running GRE. The default route to each site points to the IP on the other end of the tunnel interface. Then, they're also running IPSEC on the WAN (Ethernet) interface. I believe that they're likely running into the fragmentation scenario explained in this doc:
http://www.cisco.com/en/US/tech/tk827/tk369/technologies_white_paper09186a00800d6979.shtml#t16
Scenario 9
Example of the tunnel interface config:
nterface Tunnel0
ip address 1.1.1.1 255.255.255.0
ip tcp adjust-mss 1200
tunnel source FastEthernet1
tunnel destination x.x.x.x
tunnel bandwidth transmit 1000
tunnel bandwidth receive 1000
Example of WAN interface:
interface FastEthernet1
ip address x.xx.x. 255.255.255.192
ip access-group 102 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map SDM_CMAP_1
I had the client do a 'show tunnel 0' and I confirmed that it's a GRE tunnel and the MTU is 1476:
XX1811#show int tunnel 0
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel protocol/transport GRE/IP
Key disabled, sequencing disabled
Checksumming of packets disabled
Tunnel TTL 255
Fast tunneling enabled
Tunnel transport MTU 1476 bytes
I assume the WAN interface MTU is 1500 since it's Ethernet.
I'm just looking to get confirmation that fragmentation (and especially Scenario 9) could be an issue here that could affect performance between the 2 sites.