High MTU on Tunnel interface

Forbes Jenalyn Rose · ‎02-21-2013

Hi,

All of the tunnel on our router has high value on MTU (17000++ bytes).

Here is one of the tunnel:

sh int Tunnel65:

Tunnel65 is up, line protocol is up

Hardware is Tunnel

Description: ipsec vti to sgsineqnix-gw-2

Internet address is 10.255.255.66/30

MTU 17878 bytes, BW 100 Kbit/sec, DLY 50000 usec,

reliability 255/255, txload 255/255, rxload 255/255

Encapsulation TUNNEL, loopback not set

Keepalive not set

Tunnel source 116.214.1.5, destination 116.214.2.5

Tunnel protocol/transport IPSEC/IP

Tunnel TTL 255

Tunnel transport MTU 1438 bytes

Tunnel transmit bandwidth 8000 (kbps)

Tunnel receive bandwidth 8000 (kbps)

Tunnel protection via IPSec (profile "ipsec-vti")

Last input never, output never, output hang never

Last clearing of "show interface" counters 2w3d

Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 57294

Queueing strategy: fifo

Output queue: 0/0 (size/max)

5 minute input rate 1035000 bits/sec, 197 packets/sec

5 minute output rate 301000 bits/sec, 179 packets/sec

126621059 packets input, 3951039179 bytes, 0 no buffer

Received 0 broadcasts (329227 IP multicasts)

0 runts, 0 giants, 0 throttles

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

107858419 packets output, 3543811088 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 unknown protocol drops

0 output buffer failures, 0 output buffers swapped out

sh run int Tunnel65:

interface Tunnel65

description ipsec vti to blah-blah

ip address 10.255.255.66 255.255.255.252

ip summary-address eigrp 89 10.63.0.0 255.255.224.0

tunnel source 116.214.1.5

tunnel mode ipsec ipv4

tunnel destination 116.214.2.5

tunnel protection ipsec profile ipsec-vti

end

We are using Cisco 2911 router with IOS Version 15.2(3)T.

Please advise how to fix this.

Regards,

Jenna

Vinayaka Raman · ‎02-21-2013

please check show ip int tun 65 instead of show int tun 65

Regards Vinayak

Vinayaka Raman · ‎02-21-2013

it is recommended you have 1400 for GRE plus IPsec..

interface Tunnel1
ip mtu 1400

if i am not wrong, you should considering the MTU which is from show ip int tun 1

Router#show run int tun 1
Building configuration...

Current configuration : 494 bytes
!
interface Tunnel1
bandwidth 1024
ip address 10.13.0.27 255.255.0.0
no ip redirects
ip mtu 1400
ip flow ingress
ip flow egress
ip nhrp authentication 111
ip nhrp map multicast dynamic
ip nhrp map multicast 205.204.2.251
ip nhrp map 10.13.0.1 205.204.2.251
ip nhrp network-id 101
ip nhrp nhs 10.13.0.1
zone-member security inside
load-interval 30
tunnel source GigabitEthernet0
tunnel mode gre multipoint
tunnel key 111
tunnel protection ipsec profile ocbackupvpn shared
end

Router#show int tun 1 | i MTU
MTU 17912 bytes, BW 1024 Kbit/sec, DLY 50000 usec,
Tunnel transport MTU 1472 bytes

Router#show ip int tun 1 | i MTU
MTU is 1400 bytes
Router#

Regards Vinayak

Forbes Jenalyn Rose · ‎02-21-2013

Hi Vinayaka,

Here's the result of "show ip int Tunnel65":

phmnlccent-gw-3#sh ip int Tunnel65

Tunnel65 is up, line protocol is up

Internet address is 10.255.255.66/30

Broadcast address is 255.255.255.255

Address determined by non-volatile memory

MTU is 1438 bytes

Helper address is not set

Directed broadcast forwarding is disabled

Multicast reserved groups joined: 224.0.0.10

Outgoing access list is not set

Inbound access list is not set

Proxy ARP is enabled

Local Proxy ARP is disabled

Security level is default

Split horizon is enabled

ICMP redirects are always sent

ICMP unreachables are always sent

ICMP mask replies are never sent

IP fast switching is enabled

IP fast switching on the same interface is disabled

IP Flow switching is disabled

IP CEF switching is enabled

IP CEF switching turbo vector

IP Null turbo vector

IP multicast fast switching is enabled

IP multicast distributed fast switching is disabled

IP route-cache flags are Fast, CEF

Router Discovery is disabled

IP output packet accounting is disabled

IP access violation accounting is disabled

TCP/IP header compression is disabled

RTP/IP header compression is disabled

Policy routing is disabled

Network address translation is disabled

BGP Policy Mapping is disabled

Input features: MCI Check

Post encapsulation features: IPSEC Post-encap output classification

IPv4 WCCP Redirect outbound is disabled

IPv4 WCCP Redirect inbound is disabled

IPv4 WCCP Redirect exclude is disabled

phmnlccent-gw-3#sh int Tunnel65 | i MTU

MTU 17878 bytes, BW 100 Kbit/sec, DLY 50000 usec,

Tunnel transport MTU 1438 bytes

phmnlccent-gw-3#sh ip int Tunnel65 | i MTU

MTU is 1438 bytes

I understand that on "show ip int Tunnel65" it shows 1438 only but the "show int Tunnel65" is giving too high value.

Can you explain what's the reason for this?

Thanks and regards,

Jenna

Joseph W. Doherty · ‎02-21-2013

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

You shouldn't need interleaving/fragmentation with a link > half a T1's bandwidth.

Try setting tx-ring-limit to minimal value on all your serial interfaces.