Solved: IPsec MTU 1438 - Page 2

BrandonRumer · ‎08-29-2024

I have the below config on a C8000v running 17.12.x. I am setting the tunnel ip mtu but when I look at the tunnel the MTU via 'show' commands, it is always 1438. Why? Wireshark capture yields an on-wire MTU of 1450, which maybe sounds right given the ipsec overhead...

interface Tunnel1
ip mtu 1354
ip tcp adjust-mss 1334
<snip>

spoke#sh crypto ipsec sa detail | i mtu
plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet2

spoke#sh int tu1 | i MTU
Tunnel transport MTU 1438 bytes

Thanks

# CCIE 58997

ccieexpert · ‎08-31-2024

Hello friendo

I would suggest that anyone trying to correct me do their own due diligence and test and validate stuff . Because its a blatant statement. we are a community so lets keep it all friendly at the end of the day

First i hate to say anything bad about anybody, but if someone is trying to say i am wrong, and if that is not true, then i have to defend as my credibility is on the line. if i am wrong, ofcourse i have no problem admitting it..

First of the document is from a VPN SPA, EOL and was for Cat 6500/7600 not a good source.

But that diagram itself states at the bottom

t_MTU = tunnel ip mtu (NOT TUNNEL MTU)

Here is a test on IOS, where using grep with ipsec tunnel protection.

interface Ethernet0/0
description To sw105 e5/2
ip address 10.1.1.1 255.255.255.0
duplex auto
end

r12#sh int tun1 | inc MTU
MTU 17916 bytes, BW 100 Kbit/sec, DLY 50000 usec,
Tunnel transport MTU 1476 bytes
r12#
r12#conf term
Enter configuration commands, one per line. End with CNTL/Z.
r12(config)#int e0/0
r12(config-if)#ip mtu 1200
r12(config-if)#end
r12#sh int tun1 | inc MTU
*Aug 31 06:55:19.693: %SYS-5-CONFIG_I: Configured from console by console
r12#sh int tun1 | inc MTU
MTU 17916 bytes, BW 100 Kbit/sec, DLY 50000 usec,
Tunnel transport MTU 1176 bytes
r12#

MHM Cisco World · ‎08-31-2024

Show ip interface tunnel <<- please share this form your Lab

MHM