Before an IPSec or GRE packet can be decrypted or decapsulated, the packet must be complete. If needed, the packet must be reassembled from its underlying fragments. Fragmentation is a cheap operation as it can be performed in hardware (on the VPNSM) or in the CEF switching path (on classic IOS platforms). On the other hand, reassembly is only performed in hardware on the VPNSM and any other platform would require punting the packet to the process switching flow. This operation is typically slow, costly and can be spotted through packet losses and high CPU. Even when done in hardware, reassembly buffers must be readily available under the penalty of packet losses. If fragments are lost, reassembly buffers get consumed and both software and hardware reassembly are impacted.