Launching soon: The world's first vendor agnostic bug scrubLearn more & join waitlist
OPERATIONAL DEFECT DATABASE
...
...
An inconsistency between Path MTU Discovery result and Tunnel MTU happens on cEdge. For example, Tunnel MTU will be 1438 even if the the Path MTU Discovery result is 1402. Due to this, packet drop may occur at the underlay router between the cEdge routers. Following are the CLI which can check the inconsistency. To check Tunnel MTU - show sdwan tunnel statistics To check Path MTU Discovery result - show platform hardware qfp active feature bfd datapath sdwan all Following are the command outputs example. # Tunnel MTU cEdge#show sdwan tunnel statistics tunnel stats ipsec 10.0.0.1 10.0.1.5 12406 12426 system-ip 10.10.50.1 local-color default remote-color default tunnel-mtu 1438 <<< Tunnel MTU tx_pkts 199713 tx_octets 18225542 rx_pkts 198249 rx_octets 23528021 tcp-mss-adjust 1358 ipv6_tx_pkts 0 ipv6_tx_octets 0 ipv6_rx_pkts 0 ipv6_rx_octets 0 tx_ipv4_mcast_pkts 0 tx_ipv4_mcast_octets 0 rx_ipv4_mcast_pkts 0 rx_ipv4_mcast_octets 0 tunnel stats ipsec 10.0.0.1 10.0.1.3 12406 12386 system-ip 10.10.30.1 local-color default remote-color default tunnel-mtu 1442 <<< Tunnel MTU tx_pkts 188995 tx_octets 16623142 rx_pkts 188995 rx_octets 22137536 tcp-mss-adjust 1362 ipv6_tx_pkts 0 ipv6_tx_octets 0 ipv6_rx_pkts 0 ipv6_rx_octets 0 tx_ipv4_mcast_pkts 0 tx_ipv4_mcast_octets 0 rx_ipv4_mcast_pkts 0 rx_ipv4_mcast_octets 0 # show platform hardware qfp active feature bfd datapath sdwan all cEdge#show platform hardware qfp active feature bfd datapath sdwan all Total number of session: 2 LD : 10003 My Private IP : 10.0.0.1 Remote Private IP : 10.0.1.5 Tx Stats : 198064 Rx Stats : 196600 Encap Type : IPSEC State : Up AppProbe : NO IPSec Out SA ID : 603979782 Tunnel Rec ID : 3 IfName : GigabitEthernet2 (0xf800009f) Uidb : 65529 Config Tx Timer : 1000000 Conig Detect Timer : 7000000 Actual Tx Timer : 1000000 Actual Detect Timer : 7000000 My Pub IP : 10.0.0.1 My Pub Port : 12406 My Symmetric NAT IP : 0.0.0.0 My Symmetric NAT Port : 0 Remote public IP : 10.0.1.5 Remote public Port : 12426 MTU(config), Actual : 1442, 1442 <<< The right value is Path MTU Discovery result Farend PMTU : 1442 My Capabilities : 0x160 Remote Capabilities : 0x60 SDWAN BFD flags : |||| local_color : 1 PFR stats for SLA default (addr:f1f0bd20) Number of pkts : 311 Loss Count : 0 Latency(1/16ms) : 0 Jitter(1/16ms) : 0 Following are SDWAN stats Echo Tx : 195611 Echo Rx : 195610 PMTU Tx : 2453 PMTU RX : 989 AppProbeID Valid NextProbeID StatAddr #Packets Loss Latency(1/16ms) Jitter(1/16ms) 1 N 0 f1f0bd38 0 0 0 0 2 N 0 f1f0bd50 0 0 0 0 3 N 0 f1f0bd68 0 0 0 0 4 N 0 f1f0bd80 0 0 0 0 5 N 0 f1f0bd98 0 0 0 0 6 N 0 f1f0bdb0 0 0 0 0 LD : 10004 My Private IP : 10.0.0.1 Remote Private IP : 10.0.1.3 Tx Stats : 187435 Rx Stats : 187435 Encap Type : IPSEC State : Up AppProbe : YES IPSec Out SA ID : 603979784 Tunnel Rec ID : 4 IfName : GigabitEthernet2 (0xf80000af) Uidb : 65529 Config Tx Timer : 1000000 Conig Detect Timer : 7000000 Actual Tx Timer : 1000000 Actual Detect Timer : 7000000 My Pub IP : 10.0.0.1 My Pub Port : 12406 My Symmetric NAT IP : 0.0.0.0 My Symmetric NAT Port : 0 Remote public IP : 10.0.1.3 Remote public Port : 12386 MTU(config), Actual : 1446, 1446 <<< The right value is Path MTU Discovery result Farend PMTU : 1445 My Capabilities : 0x160 Remote Capabilities : 0x100 SDWAN BFD flags : |||| local_color : 1 PFR stats for SLA default (addr:f1f0bc00) Number of pkts : 310 Loss Count : 0 Latency(1/16ms) : 76048 Jitter(1/16ms) : 17920 Following are SDWAN stats Echo Tx : 186293 Echo Rx : 186290 PMTU Tx : 1142 PMTU RX : 1142 AppProbeID Valid NextProbeID StatAddr #Packets Loss Latency(1/16ms) Jitter(1/16ms) 1 N 0 f1f0bc18 0 0 0 0 2 N 0 f1f0bc30 0 0 0 0 3 N 0 f1f0bc48 0 0 0 0 4 N 0 f1f0bc60 0 0 0 0 5 N 0 f1f0bc78 0 0 0 0 6 N 0 f1f0bc90 0 0 0 0 Please note that the above example has no inconsistency. "show sdwan tunnel statistics" command outputs display 4 bytes shorter size than "show platform hardware qfp active feature bfd datapath sdwan all" outputs.
This problem occurs when changing the Service side VPN interface 'ip mtu'.
Following steps will recover the problem. 1. Lower the 'ip mtu' value of the Transport side VPN interface less than it should be(if Path MTU Discovery result shows 1200, then 'ip mtu 1000'). 2. Then raise it as it was.
The Tunnel MTU will be the Transport side VPN interface "ip mtu" based value after changing the Service side VPN interface "ip mtu".