Here is the double VPN config I was talking about:

interface Tunnel99

bandwidth 100000

ip address 172.10.1.1 255.255.255.252

ip mtu 1524

delay 1

tunnel source GigabitEthernet0/1

tunnel destination 192.168.1.1

crypto map Cisco

!

interface GigabitEthernet0/1

ip address 192.168.1.2 255.255.255.128

delay 1

duplex full

speed 100

crypto map Cisco

I believe the crypto map "Cisco" should only be configured on the Tunnel or physical interface. The TAC said our map was either configured or encrypted twice. The way this looks to me I thought it was configured twice.

Disclaimer

The   Author of this posting offers the information contained within this   posting without consideration and with the reader's understanding that   there's no implied or expressed suitability or fitness for any purpose.   Information provided is for informational purposes only and should not   be construed as rendering professional advice of any kind. Usage of  this  posting's information is solely at reader's own risk.

Liability Disclaimer

In   no event shall Author be liable for any damages whatsoever (including,   without limitation, damages for loss of use, data or profit) arising  out  of the use or inability to use the posting's information even if  Author  has been advised of the possibility of such damage.

Posting

Ah, got it.  If I remember correctly, the the technique you're using was required several IOS versions ago.  I think newer IOS versions only require the crypto map on the physical interface.  (Note: reason I write "I think", there's even a newer approach for encrypted IP tunnels, VTI interfaces.

PS:

Why IP MTU 1524 on the GRE/IPSec tunnel?  I would expect something like IP MTU 1424.  (I'm guessing you're adding 24 bytes for GRE, but you also have to allow for IPSec overhead, and is jumbo Ethernet enabled/supported across the physical?)

You also might consider using adjust-mss command and tunnel PMTUD.

Lastly, if you do keep using the GRE/IPSec tunnel, you might consider using keep alives across it.

I'm not sure how long the tunnel has been configured this way, long before I started working with this company. I believe the first recommendation by the TAC was what you mentioned about the MTU size. I haven't been able to change anything since this is an important link that needs to be available. What is the process of determining what your MTU size should be? I'd have to consider the GRE, IPSEC and the specific encryptions used, right?

Disclaimer

The  Author of this posting offers the information contained within this  posting without consideration and with the reader's understanding that  there's no implied or expressed suitability or fitness for any purpose.  Information provided is for informational purposes only and should not  be construed as rendering professional advice of any kind. Usage of this  posting's information is solely at reader's own risk.

Liability Disclaimer

In  no event shall Author be liable for any damages whatsoever (including,  without limitation, damages for loss of use, data or profit) arising out  of the use or inability to use the posting's information even if Author  has been advised of the possibility of such damage.

Posting

Yes, correct, you need to figure out overhead of all the encapsulations.  For example, GRE uses 24, IPSec varies on configuration.  (BTW, to avoid all this, one of Cisco's documents just recommends setting IP MTU to 1400 as that should be larger than actual overhead.)

Another technique, if the tunnel is active and "honors" PMTUD, is use a router's extended ping, using a range of packet sizes, with DF set.

Thanks for the information Joseph! We're in the process of doing some upgrades to equipment so when I go to reconfigure everything I'll be sure to use the MTU size of 1400. Thanks again!