Solved: Re: IPsec MTU 1438

BrandonRumer · ‎08-29-2024

I have the below config on a C8000v running 17.12.x. I am setting the tunnel ip mtu but when I look at the tunnel the MTU via 'show' commands, it is always 1438. Why? Wireshark capture yields an on-wire MTU of 1450, which maybe sounds right given the ipsec overhead...

interface Tunnel1
ip mtu 1354
ip tcp adjust-mss 1334
<snip>

spoke#sh crypto ipsec sa detail | i mtu
plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet2

spoke#sh int tu1 | i MTU
Tunnel transport MTU 1438 bytes

Thanks

# CCIE 58997

ccieexpert · ‎08-29-2024

hello friend

the ip mtu has no bearing on the tunnel MTU or the IPSEC sa MTU.. the ipsec sa mtu is generally derived from the tunnel source interface..

But to simplify this a lot , i would suggest just not messing with tunnel path MTU discovery etc....

when you set the ip mtu to fairly lower value - 1400 or less then and use adjust-mss, that should take care of all issuess.. The ip mtu really address the ip data traffic(not the gre/ipsec encapsulate packet) going and you will only see when you enter"show ip interface" and that should reflect your setting. So that dictates the larges packet that is allowed over the tunnel interface. But generally for TCP, the adjust-mss will override that and set it accordingly...

https://www.cisco.com/c/en/us/support/docs/ip/generic-routing-encapsulation-gre/25885-pmtud-ipfrag.html#toc-hId--457249655

this document is great for that..

**please rate as helpful if this was useful**

View solution in original post

MHM Cisco World · ‎08-29-2024

NO tunnel path-mtu-discovery

Add this under tunnel interface

MHM

BrandonRumer · ‎08-30-2024

Thanks for the comment. It looks like this doesn't 'stick' to the interface when you manually set the MTU (it doesn't even show under sh run all). As another person mentioned, this 1438 MTU is derived from the tunnel source interface (outside), minus IPsec overhead.

# CCIE 58997

MHM Cisco World · ‎08-30-2024

One Q did you try it ?

share link and in link there is

Problems with PMTUD <<-

So disable it and config ip tcp mss and you do that config ip tcp mss but not disable pmtud

Try it first then we will talk

MHM

BrandonRumer · ‎08-30-2024

I did. When I put that config on the tunnel interface it would not actually ever show up under 'sh run int tu1' or 'sh run all | b Tunnel1'. Additionally, the tunnel MTU stayed at 1438.

# CCIE 58997

MHM Cisco World · ‎08-30-2024

Let me check it in lab

BrandonRumer · ‎08-30-2024

Just to be clear, the 'tunnel ip mtu' does 'work' for traffic that goes through the tunnel. My question was why does the tunnel never reflect this in the 'ipsec sa' or 'sh int'

As @ccieexpert mentioned, the MTU I was asking about is taken from the tunnel source interface MTU minus IPsec overhead, which answered my question.

Thanks for your comments & help!

# CCIE 58997

MHM Cisco World · ‎08-30-2024

I run lab and I sucess config mtu 1300 and tunnel source is 1500

Show ip interface tunnel <<- show the value

Show crypto ipsec sa <<- this not effect by mtu tunnel

Just test and confirm

So why you dont see in show interface ?

MHM

ccieexpert · ‎08-30-2024

Friend...Please read the link i sent.. tunnel ip mtu is for data traffic without gre/ipsec encapsulation.. is not for GRE traffic or with ipsec encapsulation..

MHM Cisco World · ‎08-30-2024

Tunnel wihtout gre and without ipsec' then how this tunnel work.

Friend I already try and if mr @BrandonRumer show ip interface tunnel

He will see his mtu setting value.

Change tunnel mtu is done for any any tunnel and it effect data pass encrypt or not.

MHM

MHM Cisco World · ‎08-30-2024

MTU I was asking about is taken from the tunnel source interface <<- this not correct

first check this flow from cisco doc.

second when you set mtu under tunnel is must appear in show ip interface tunnel if not appear try use debug tunnel and see mtu send by local and remote peer

MHM

ccieexpert · ‎08-29-2024

hello friend

the ip mtu has no bearing on the tunnel MTU or the IPSEC sa MTU.. the ipsec sa mtu is generally derived from the tunnel source interface..

But to simplify this a lot , i would suggest just not messing with tunnel path MTU discovery etc....

when you set the ip mtu to fairly lower value - 1400 or less then and use adjust-mss, that should take care of all issuess.. The ip mtu really address the ip data traffic(not the gre/ipsec encapsulate packet) going and you will only see when you enter"show ip interface" and that should reflect your setting. So that dictates the larges packet that is allowed over the tunnel interface. But generally for TCP, the adjust-mss will override that and set it accordingly...

https://www.cisco.com/c/en/us/support/docs/ip/generic-routing-encapsulation-gre/25885-pmtud-ipfrag.html#toc-hId--457249655

this document is great for that..

**please rate as helpful if this was useful**

BrandonRumer · ‎08-30-2024

Thanks for your explanation. I confirmed that when adjusting the source interface's MTU that this reflects in the tunnel MTU. It was just an oddity that I couldn't explain. Thanks for the link, too!

# CCIE 58997

M02@rt37 · ‎08-29-2024

Hello @BrandonRumer

The router is automatically adjusting the tunnel MTU to 1438 bytes to accommodate IPsec overhead, which is why your manually set MTU of 1354 is not directly reflected in the show command outputs. This is normal behavior as the device prioritizes avoiding fragmentation after IPsec encapsulation. The observed 1450-byte MTU in Wireshark is consistent with this, accounting for both IPsec and Ethernet overhead.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

BrandonRumer · ‎08-30-2024

Thanks!

# CCIE 58997