Re: ISDN 30 and DMVPN MTU sizes

BVC · ‎06-23-2020

I'm currently in the works of configuring DMVPN on an ISDN network. I've used Cisco's DMVPN guide in order to help me create the DMVPN config. But I keep getting TCP timeouts on a device on the spoke side, this device is collecting data from a database on the hub's side. This DMVPN is also using ipsec to encrypt the packets going over the ISDN 30.

I've set the MTU for both the tunnel and dialer interfaces on both sides to 1440 (to accommodate for the tunnel and ipsec overhead), do I need to set the MTU of the actual serial interfaces as 1440? As this will cause problems for other routers that are calling into the hub router that are not using DMVPN since they won't have their MTU as 1440.

Another question I have is what MTU to actually set, as the dialer interfaces and the serial interfaces on both sides are using PPP as encapsulation, will I need to decrease the MTU by another 8 bytes in order to make sure no packets are getting fragmented?

I've included the configs for both the hub and spoke routers.

Any help will be greatly appreciated.

Rob Ingram · ‎06-23-2020

Hi,

I'd leave the Dialer interface MTU value as before.

Cisco best practice for DMVPN tunnel interface is MTU = 1400 and TCP MSS = 1360

Reference here, Cisco Live BRKSEC-3052

BVC · ‎06-24-2020

Hello Rob,

The routers are using 8 channels of an ISDN 30, is 1400 the highest MTU I can have or can I go higher as this will negatively impact the speed since the WAN link is only 512 Kbp's?

Also what's the difference between fragmentation after-encryption and fragmentation before-encryption as I've seen some of the dialers on the hub router are using the before-encryption command.