Inner Fragmentation

EPDG does ESP encapsulation and sends it to the NPU for IPv4 Payload without DF bit set. NPU will fragment the packet before sending out if the packet size exceeds MTU configured on the interface. NPU will do fragment only if the DF bit is not set. Whether to set DF bit or not on outer IP header can be controlled by crypto template configuration. So by default NPU will do a fragmentation if the packet size is more than MTU. This can cause issues if there is NAT device which can't handle fragments. In this case UE will not receive all packets.

To avoid this ePDG can do a fragmentation before ESP encapsulation there by avoiding the fragmentation at NPU. ePDG decides when to do fragmentation is based on existing MTU configuration available under the crypto template. So when the User payload is more than the configured MTU size the packet is fragmented into multiple packets, now each packet is encrypted and ESP encapsulated and sent out.

Memory and Performance Impact

Implementation of pre-ESP Fragmentation support will have performance impact on overall performance. Throughput will be impacted as each fragment will be encrypted and encapsulated. As the throughput mainly depends on the PPS(Packets/Second) and each fragmented packet will result in multiple packets and each packet needs to be encrypted this decreases the throughput of the whole system.

Configuring Pre-ESP Fragmentation Configuration

Syntax

configure 
     crypto template 
				      ip { inner | outer } | ikev2-mtu value  | mtu value } 
          default ip { fragment | ikev2 | mtu } 
     end 

show crypto {map | template}

show epdg-service statistics