12-15-2022 11:54 AM
We have an IPsec s2s tunnel between two FTD units (one physical, one virtual). When you do show cry ipsec sa peer X.X.X.X, there's a part in the output that shows you the IPsec overhead. But it shows two values and that's what is confusing me. See below underlined portion below:
local crypto endpt.: X.X.X.X/XXXX, remote crypto endpt.: X.X.X.X/XXXX
path mtu 1500, ipsec overhead 63(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
Is this telling me that the overall IPsec overhead is 63 bytes? What does the 44 in parentheses indicate?
12-15-2022 01:45 PM
as I know
ipsec overhead 63(44)
44 for SHA
63 for AES
12-15-2022 02:41 PM
44 Bytes are the header overhead. This could be build by:
63 Bytes is the overhead if we also add the ESP trailer with
12-16-2022 05:14 AM
So if that is true we are looking at 107 bytes of IPsec overhead on top of IP and TCP payloads. Am I interpreting that correctly?
12-16-2022 05:59 AM
I think I misread that. 63 is the total overhead you are describing. Sorry, I hadn't had my morning coffee yet!
12-16-2022 06:24 AM - edited 12-16-2022 06:25 AM
coffee first always. LoL..
12-16-2022 08:28 AM
@MatthewHickey7355 wrote:
Sorry, I hadn't had my morning coffee yet!
Why do you do such things? That's dangerous ...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide