Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2307
Views
0
Helpful
4
Replies

IPSEC SA ip mtu idb interface?

nathan.edwards1
Level 1
Level 1

‎01-14-2014 05:46 AM - edited ‎02-21-2020 07:26 PM

Hello,

What is the ip mtu idb interface under the "show crypto ipsec sa" command output in IOS?  How is this interface determined?      

Thanks,

Nathan

Labels:
0 Helpful
4 Replies 4

nathan.edwards1
Level 1
Level 1

‎01-16-2014 12:55 PM

Anybody have any idea how the "ip mtu idb interface" is determined?

0 Helpful

Marcin Latosiewicz
Cisco Employee
Cisco Employee
In response to nathan.edwards1

‎01-17-2014 05:26 AM

It's determined by source of crypto, with a few nice twists. 

Spoke1#show run int tu1 | i mtu
 ip mtu 1400
Spoke1#sh run int e0/0 | i mtu
Spoke1#show crypto ipsec sa | i mtu
     path mtu 1400, ip mtu 1400, ip mtu idb Tunnel1
     path mtu 1500, ip mtu 1500, ip mtu idb Ethernet0/0
Spoke1#                                                   

What are you trying to figure out exactly?

0 Helpful

nathan.edwards1
Level 1
Level 1
In response to Marcin Latosiewicz

‎01-17-2014 07:10 AM

I have a GRE/IPSEC tunnel going from a local ASR to one of our remote sites and I'm seeing a ton of reassembly on the remote end.  When looking at the IPSEC SA from the ASR I noticed some of the SA's are using the physical WAN interface and some are using the virtual tunnel interface for their MTU size.  I don't think this is my problem, it just struck my curiousity and couldn't find any documentation on it.  I think I am running into fragmentation due to the egress interface MTU for the tunnel traffic.  The IP MTU on the tunnel is 1350 while the egress interface is 1500.  We have another site which is setup identically to this one except the ASR's egress interface is set to 1550 IP MTU.  I've read that the GRE header adds 24 bytes but can't find an easy answer to how much the IPSEC encapsulation would add.

0 Helpful

Marcin Latosiewicz
Cisco Employee
Cisco Employee
In response to nathan.edwards1

‎01-17-2014 08:42 AM

Nathan,

The IPsec overhead is 'complicated' to calculate (depending on chosen cipher suite and original packet length). Hence you'd need to have calculator of some sort, several folks wrote those, we have one internally written by a colleague.

It is safe to assume that overhead will be around 100 bytes (for GRE over IPsec) , newer IOS will calculate that for you too. It's a stretch, but we'd rather have lower MSS than deal with fragmentation.

But regardless, you will see very often in our reference configuration that MTU is set to 1400, and a matching MSS of 1360.

Fragmentation/reassambly is an popular, remember that when you set MTU you NEED to set also MSS (MTU - 40 = MSS).

Another thing is (tunnel) PMTUD, while it's typically broken over internet, it is one of my favorites, it helps detect and diagnose problems early in the deployment rather than dealing with it later on.

Just figured I'd get this out there.

M.

0 Helpful
Customers Also Viewed These Support Documents