Thank you everyone for posting on this topic. I have been running 12.3(12.10) on the 2691 and it does appear to be fine. The only downside is the tunnel interface has to be shut then no shut to bring it up upon a router reload. The engineer I am working with is trying to find the fix for this problem now. I'm tempted to back down to 12.3.11T2 until Cisco can resolve these issues. Can anyone tell me if there are running the advipservices version or advsecurity and what the difference may be? Also I have a Cisco 1712 experiencing the same problem with input queue wedge but I am using CBAC and NAT route maps on the router so I do come across the bug mentioned in previous messages. Is there going to be a fix for this as well? Thanks again.

-Jake Gibb (noc@krollworldwide.com)

I did a compare of the two images 12.3.11T2 advsecurity and advipservices. It appears they both support standard VPN, QOS, IDS, etc. but ipservices includes support for BGP, VoIP, and MPLS functions. Hope that helps anyone that may have been curious as I was. Thanks.

-Jake Gibb

I have just reloaded my 2691 with 12.3.11T2 and disabled IP CEF. The input queue wedge problem did stop on the tunnel interface. How much of an impact does this pose on the router and passing traffic? Is it substantial?

I didn't see much of a performance hit but, you can enable cef. You just need to take your IP MTU size down to 1400 on both hub and spoke tunnel interfaces and that should stop the wedging problem.

Confirmed with the developers that this bug is fixed in 12.3(12.10)T also, the bug has been updated to reflect that now.

Disabling CEF is not the way we would want you to go towards fixing this issue. your router may run fine without CEF but there will be a bigger hit on the CPU, so it's all dependent on how much traffic it is processing as to how the performance will be affected. On a busy router disabling CEF may bring the router to its knees.

What features are contained in your different releases is detailed here:

http://www.cisco.com/warp/customer/620/1.html#4-1

I changed the MTU to 1400 on both the remote tunnel interface and the local. With IP CEF enabled this did indeed stop the input queue wedge problem but I could not get some applications to connect across the tunnel(remote desktop, etc..). I also have the command ip tcp adjust-mss 1436 on the remote router tunnel interface. I discovered this was needed for some website access across the connection to the main site.

I'm fairly sure I need to go with the advsecurity version of the IOS as we do not need advanced routing capabilities etc. I just need to settle on a revision that works. I have two more DMVPN sites coming up within a month and would love to have this problem resolved. Thanks for the ongoing support.

I'm also running advsecurity. With my current config, things are running stable. RDP and other applications work fine.

Are you running DSL on any of the sites?

Also, TAC recommended that it there were connectivity problems or a lot of output drops, to adjust the tcp mss to 1360.

These are both leased line connections to ISP's. Looks like that adjustment in tcp adjust-mss did it. Does the ip tcp adjust-mss command have to be applied on both ends or just one? I'm not sure I understand where to place it. Thanks.

-Jake Gibb

The "ip tcp adjust-mss" command changes the MSS value in incoming OR outgoing TCP SYN packets. Theoretically you can just configure it on one end cause it'll see all the SYN packets and adjust the MSS value accordingly, but having it on both ends won't matter either.

Thank you. It looks like everything is stable now running 12.3(11)T2. I appreciate your help.

-Jake