IPSEC MTU

Daniel Smith · ‎07-01-2022

We have a case today of reported Internet 'slowness'. We recently encrypted links out to this location. I noticed right away that pings to 8.8.8.8 would not work at 1500 bytes. Snooping about a bit on this, I found this in the output of a command:

xxxxx1#show crypto ipsec sa | inc mtu
plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0/0

So I went ahead and did more testing to 8.8.8.8

xxxxxxxx#ping 8.8.8.8 size 1438
Type escape sequence to abort.
Sending 5, 1438-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 11/11/12 ms
xxxxxxxx#ping 8.8.8.8 size 1439
Type escape sequence to abort.
Sending 5, 1439-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

So that MTU might be getting in the way of throughput if packets come in at a size greater than 1438...

I looked around and did not readily find a way to change that, but hoping there is....appreciate your advice!

balaji.bandi · ‎07-01-2022

check IPsec overhead calculator :

https://cway.cisco.com/ipsec-overhead-calculator/

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

MHM Cisco World · ‎07-01-2022

Use tunnel mode instead of transport mode make you save some bytes.

Georg Pauwen · ‎07-01-2022

Hello,

what kind of topology do you have ? Are we talking about remote access VPN, site to site VPN ? In the latter case, configure the below on the LAN interfaces:

ip tcp adjust-mss 1398

Joseph W. Doherty · ‎07-01-2022

https://www.cisco.com/c/en/us/support/docs/ip/generic-routing-encapsulation-gre/25885-pmtud-ipfrag.html possibly worth a read.