Launching soon: The world's first vendor agnostic bug scrubLearn more & join waitlist
OPERATIONAL DEFECT DATABASE
...
...
With "tunnel protection ipsec profile AES" and path-mtu-discovery on ASR10009X We now source a ping from a device behind the 1009... N7K# ping 130.30.1.3 df-bit packet-size 1000 vrf vrf6000 source 100.0.1.3 count 1 (1st time, crypto ipsec sa mtu changed, tunnel mtu not changed this time) Oct 18 05:41:53.247: ICMP: dst (1.2.12.10) frag. needed and DF set unreachable rcv from 140.40.40.162 mtu:1000 ASR1009-X-3#sh crypto ipsec sa | in mtu plaintext mtu 962, path mtu 1000, ip mtu 1500, ip mtu idb TenGigabitEthernet0/1/0 Source another ping - tunnel MTU should change this time N7K# ping 130.30.1.3 df-bit packet-size 1000 vrf vrf6000 source 100.0.1.3 count 1 No logging such as "adjusting soft state MTU" ASR1009-X-3#sh int tun 10094321 | in MTU MTU 9938 bytes, BW 100 Kbit/sec, DLY 50000 usec, Path MTU Discovery, ager 10 mins, min MTU 92 Tunnel transport MTU 1438 bytes ASR1009-X-3#sh adj tun 10094321 int | in mtu L3 mtu 1420 If we use debug platform packet-trace to catch packets, we find: 11 Port-ch10 Te0/1/0 FWD 12 Te0/1/0 internal0/0/rp:0 PUNT 11 (For-us data) —> packet 11,12 seen by 1st time of ping, as expected 35 Port-ch10 Tu10094321 DROP 132 (IpsecOutput) —> packet 35 seen by 2nd time of ping, but no expected packet "PUNT 26 (QFP ICMP generated packet)" and "PUNT 30 (RP injected For-us data)" 75 Port-ch10 Tu10094321 DROP 132 (IpsecOutput) —> packet 75 seen by next time of ping, no "DROP 51 (IpFragErr)" and no icmp type3 code4 send to N7K --------- If we remove the "tunnel protection ipsec profile AES" from Tunnel10094321, path-mtu-discovery works well on ASR1009-X N7K# ping 130.30.1.3 df-bit packet-size 1000 vrf vrf6000 source 100.0.1.3 count 1 (without tunnel protection, tunnel mtu changed 1st time of ping) On ASR1009-X-3: Oct 18 05:15:28.417: ICMP: dst (1.2.12.10) frag. needed and DF set unreachable rcv from 140.40.40.162 mtu:1000 Oct 18 05:15:28.417: Tunnel10094321: dest 1.1.12.1, received frag needed (mtu 1000), adjusting soft state MTU from 0 to 976 ASR1009-X-3#sh int tun 10094321 | in MTU MTU 9976 bytes, BW 100 Kbit/sec, DLY 50000 usec, Path MTU Discovery, ager 10 mins, min MTU 92, MTU 976, expires 00:08:43 Tunnel transport MTU 1476 bytes ASR1009-X-3#sh adj tun10094321 int | in mtu L3 mtu 976 mtu update from interface suppressed
The issue will be triggered when all following conditions met 1) DMVPN Tunnel with loopback interface as source interface 2) IPsec configured 3) ?tunnel path-mtu-discovery? configured under tunnel interface 4) Router reload
Don't use loopback as tunnel source or re-configure ip address of loopback interface or don't use "tunnel path-mtu-discovery"