Try to setup multicast over a GRE/IPsec point-to-point tunnel between two Cisco 1811. After enable interface Tunnel multicast, the interface was up for about 1 minutes, then can not be accessed at all, I had to reload to get the interface accessable, at the same time console shown the following error:

*Feb 22 22:00:06 CST: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 192.168.6.14 (Tunnel0) is down: Interface Goodbye received
*Feb 22 22:00:11 CST: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 192.168.6.14 (Tunnel0) is up: new adjacency
*Feb 22 22:01:27 CST: %SEC-6-IPACCESSLOGDP: list 104 denied icmp 76.204.172.33 -> 76.204.172.33 (8/0), 9 packets
*Feb 22 22:01:31 CST: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 192.168.6.14 (Tunnel0) is down: retry limit exceeded
*Feb 22 22:01:35 CST: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 192.168.6.14 (Tunnel0) is up: new adjacency
*Feb 22 22:02:55 CST: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 192.168.6.14 (Tunnel0) is down: retry limit exceeded
*Feb 22 22:02:58 CST: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 192.168.6.14 (Tunnel0) is up: new adjacency

Even when Tunnel is up, multicast was not routed, test Tunnel got the following message:

A Ping with data size of this VPN interface MTU size and 'Do not Fragment' bit set to other end VPN device is failing. This may happen if there is a lesser MTU network which drops 'Do not Fragment' packets.

Recommended Actions:

1) Contact your ISP ......

2) Issue command 'crypto ipsec df-bit clear' under VPN interface to avoid packet drop due to fragmentation.

For config, Tunnel0 is "ip pim dense-mode', Fa1 (to multicast source) is "ip pim dense-mode", global configuration "ip multicast-routing".

I am wondering if my multicast configuration is wrong for multicast over GRE IPsec Tunnel, or GRE IPsec Tunnel configuration has problem, for example its MTU setting is incorrect, or 1811 is too small for this kind of routing?

Many thanks,

Michael