tfo tcp optimized-mss <value>

All WAN traffic must be encrypted for our company.  We use VTI tunnels with IPSec to do this in a Hub & Spoke topology.

The WAN is Metro-E in many locations and supports a MTU of 1500. 

VTI Tunnels = 24~32 bytes (depending on options set, CheckSUM etc..)

IPSec = 56~58 bytes

Leaving 1420~1410 bytes for the MTU

We must then set the MSS adjust on the Ethernet interface of the router to a MSS that accounts for the TCP & IP Headers.

TCP Header = 20 bytes

IP Header = 20 bytes

Leaving 1380~1370 bytes for the MSS Adjust

Even when we set our MSS Adjust this low we still see a message in captures that state the traffic exceeded MTU by 57 bytes. We are assuming he router is accounting for the IPSec.  So we have pushed the MSS-Adjust down an additional 57 bytes to 1323~1313.

So how does this affect WAAS.  Should I set the Original & Optimized MSS to 1323~1313 or let it receive this from the router's ethernet LAN interface.  Also should I push the MTU size down to meet these values, or leave it alone and once again rely on the router to advertise the TCP segment size to the WAAS.

There are a few lines in the document that make me believe the WAAS will reset this MSS value to 1432 ignoring what the router advertises.  I questioning the wording of, "If WCCP is enabled, change the MSS value to the lesser of the client advertised MSS and 1432"

We are using WCCP and egress-method negotiated-return intercept-method wccp.  The WAAS is in the user subnet and the router is on an interconnect subnet to the core switch.