02-21-2013 07:25 AM - edited 03-04-2019 07:06 PM
Hi,
All of the tunnel on our router has high value on MTU (17000++ bytes).
Here is one of the tunnel:
sh int Tunnel65:
Tunnel65 is up, line protocol is up
Hardware is Tunnel
Description: ipsec vti to sgsineqnix-gw-2
Internet address is 10.255.255.66/30
MTU 17878 bytes, BW 100 Kbit/sec, DLY 50000 usec,
reliability 255/255, txload 255/255, rxload 255/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel source 116.214.1.5, destination 116.214.2.5
Tunnel protocol/transport IPSEC/IP
Tunnel TTL 255
Tunnel transport MTU 1438 bytes
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Tunnel protection via IPSec (profile "ipsec-vti")
Last input never, output never, output hang never
Last clearing of "show interface" counters 2w3d
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 57294
Queueing strategy: fifo
Output queue: 0/0 (size/max)
5 minute input rate 1035000 bits/sec, 197 packets/sec
5 minute output rate 301000 bits/sec, 179 packets/sec
126621059 packets input, 3951039179 bytes, 0 no buffer
Received 0 broadcasts (329227 IP multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
107858419 packets output, 3543811088 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 unknown protocol drops
0 output buffer failures, 0 output buffers swapped out
sh run int Tunnel65:
interface Tunnel65
description ipsec vti to blah-blah
ip address 10.255.255.66 255.255.255.252
ip summary-address eigrp 89 10.63.0.0 255.255.224.0
tunnel source 116.214.1.5
tunnel mode ipsec ipv4
tunnel destination 116.214.2.5
tunnel protection ipsec profile ipsec-vti
end
We are using Cisco 2911 router with IOS Version 15.2(3)T.
Please advise how to fix this.
Regards,
Jenna
02-21-2013 07:41 AM
please check show ip int tun 65 instead of show int tun 65
02-21-2013 07:43 AM
it is recommended you have 1400 for GRE plus IPsec..
interface Tunnel1
ip mtu 1400
if i am not wrong, you should considering the MTU which is from show ip int tun 1
Router#show run int tun 1
Building configuration...
Current configuration : 494 bytes
!
interface Tunnel1
bandwidth 1024
ip address 10.13.0.27 255.255.0.0
no ip redirects
ip mtu 1400
ip flow ingress
ip flow egress
ip nhrp authentication 111
ip nhrp map multicast dynamic
ip nhrp map multicast 205.204.2.251
ip nhrp map 10.13.0.1 205.204.2.251
ip nhrp network-id 101
ip nhrp nhs 10.13.0.1
zone-member security inside
load-interval 30
tunnel source GigabitEthernet0
tunnel mode gre multipoint
tunnel key 111
tunnel protection ipsec profile ocbackupvpn shared
end
Router#show int tun 1 | i MTU
MTU 17912 bytes, BW 1024 Kbit/sec, DLY 50000 usec,
Tunnel transport MTU 1472 bytes
Router#show ip int tun 1 | i MTU
MTU is 1400 bytes
Router#
02-21-2013 10:13 PM
Hi Vinayaka,
Here's the result of "show ip int Tunnel65":
phmnlccent-gw-3#sh ip int Tunnel65
Tunnel65 is up, line protocol is up
Internet address is 10.255.255.66/30
Broadcast address is 255.255.255.255
Address determined by non-volatile memory
MTU is 1438 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Multicast reserved groups joined: 224.0.0.10
Outgoing access list is not set
Inbound access list is not set
Proxy ARP is enabled
Local Proxy ARP is disabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is enabled
IP fast switching on the same interface is disabled
IP Flow switching is disabled
IP CEF switching is enabled
IP CEF switching turbo vector
IP Null turbo vector
IP multicast fast switching is enabled
IP multicast distributed fast switching is disabled
IP route-cache flags are Fast, CEF
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Policy routing is disabled
Network address translation is disabled
BGP Policy Mapping is disabled
Input features: MCI Check
Post encapsulation features: IPSEC Post-encap output classification
IPv4 WCCP Redirect outbound is disabled
IPv4 WCCP Redirect inbound is disabled
IPv4 WCCP Redirect exclude is disabled
phmnlccent-gw-3#sh int Tunnel65 | i MTU
MTU 17878 bytes, BW 100 Kbit/sec, DLY 50000 usec,
Tunnel transport MTU 1438 bytes
phmnlccent-gw-3#sh ip int Tunnel65 | i MTU
MTU is 1438 bytes
I understand that on "show ip int Tunnel65" it shows 1438 only but the "show int Tunnel65" is giving too high value.
Can you explain what's the reason for this?
Thanks and regards,
Jenna
02-21-2013 10:23 AM
Disclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
You shouldn't need interleaving/fragmentation with a link > half a T1's bandwidth.
Try setting tx-ring-limit to minimal value on all your serial interfaces.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: