MPLS: changing mtu-size on a fast reroute tunnel

Similar Messages

• Mid 2010 Macbook Pro - Change MTU size kills internet (Jumbo Frames)

  Hi everyone, i'm hoping someone here can enlighten or help me solve my problem I'm having.
  I am trying to change my MTU size to enable Jumbo frames on my 13 inch Mid 2010 Macbook Pro. I recently bought a ReadyNAS Ultra and would like to speed up transfers to the unit.
  My setup is as follows:
  I have my ReadyNAS Ultra 2 and 2010 Macbook Pro (Core 2 Duo) wired via cat6 ethernet to my 5th Generation Apple Airport Extreme. The Airport Extreme is connected via cat5e to my AT&T Uverse Gateway which is set up to allow my Airport to assign DHCP and NAT (gateway is in bridge mode with wireless off).
  Anyways, I have enabled Jumbo frames on my ReadyNAS, when I enable them on my MBP.. it applies fine. It disconnects / reconnects the ethernet like it should, but then my connection drops. I can't see any devices on my LAN and I cannot access any internet websites, but according to the network pane I am still assigned a valid dhcp address. When I manually try to increase my MTU size, the same thing happens (from 9000 to 1600 I tried every size).....
  Could it be my MBP just can't suppose the increase of MTU size? It leaves them at 1500 when I set it to automatic... if it doesn't support the increased MTU size, why would it let me custom change the MTU and even give an option to select "Jumbo Frames (9000)"?
  I appreciate any help in advance!!

  asdftroy wrote:
  If you did read my post then you would have saw that the option is there, but that is not entirely what my inquiry is about. The option isn't working as intended, and I was wondering if anyone had the same issues as me. Thanks anyways.
  Anyone else?
  The way you responded to someone trying to help you probably means others will be hesitant to try.

• Link Aggregation dladm on T2000 with 2 e1000g. How can i change mtu size

  Hello
  I made a Link Aggregation on a T2000 with e1000g1 & e1000g2 successfully.
  Now i want to raise up the mtu size to mtu 9000 for the aggregation.
  I tried /etc/hostname.aggr
  mtu 9000
  unsuccessfully- MTU size still 1500
  /kernel/drv/etc/e1000g.conf
  setting Max Fram Size for 1 2 3 interface to 2(upto 8k)
  also not successfully
  MaxFrameSize=0,2,2,2;
  # 0 is for normal ethernet frames.
  # 1 is for upto 4k size frames.
  # 2 is for upto 8k size frames.
  # 3 is for upto 16k size frames.
  # These are maximum frame limits, not the actual ethernet frame
  # size. Your actual ethernet frame size would be determined by
  # protocol stack configuration (please refer to ndd command man pages)
  # For Jumbo Frame Support (9k ethernet packet)
  # use 3 (upto 16k size frames)
  Has someone an idea?
  thanx for advice

  Bug is described:
  http://sunsolve.sun.com/search/document.do?assetkey=1-1-6326664-1
  Solution is
  T-Patch 125020-01
  Message was edited by:
  sunibk

• CPU Load 98% after changed MTU size

  Hi,
  I am having problem here. Previously, when the MTU was 1508...The cpu load was <5%. When changed to 1512, the load was increasing 70%. Recently, changed to 1522, the load is >95%. Not sure what's going with the configuration. But I can a lot ques dropping. Should I put on the port-channel 1? For more details configuration, please refer to attached file
  hold-queue 1024 in
  hold-queue 1024 out
  # show proce cpu
  CPU utilization for five seconds: 96%/38%; one minute: 96%; five minutes: 96%
  PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
  # show proce cpu | include Tag
  165 150300 11396947 13 0.07% 0.01% 0.00% 0 Tag Control
  193 2608887200 237733062 10974 52.23% 52.71% 52.44% 0 Tag Input
  304 4692 36566 128 0.00% 0.00% 0.00% 0 Tagcon Addr
  Any idea guys. Thanks lot

  I had this same exact problem on the cat 6500 running SXF10. Where I enabled MPLS and it caused CPU to spike. So to check what is getting forwarded to the MSFC perform the following to see a packet capture of what is hitting the CPU. So you need to run a SNIFFER capture.
  Note this is only for the 6500 platform... once you check what's hitting the CPU (eg: fragmentation, icmp type 3 code 4's, etc al)...
  Here are the instructions to setup inband span (which monitors traffic sent
  to the MSFC):
  Router#monitor session 1 source interface fa 3/3 !--- Use any interface that
  is administratively shut down.
  Router#monitor session 1 destination interface fa 3/2 !-- connected to sniffer port
  Now, go to the SP console. Here is an example:
  Router#remote login switch
  Router-sp#test monitor add 1 rp-inband rx <--- check the syntax as it varies
  from one IOS to the next so use ?
  Verify monitor session:
  Router-sp#test monitor show session 1
  Ingress Source Ports: 3/3 15/1
  Egress Source Ports: 3/3
  Ingress Source Vlans:
  Egress Source Vlans:
  Filter Vlans:
  Destination Ports: 3/2
  Go back to the RP and verify the monitor session as well:
  Router#show monitor
  Session 1
  Type : Local Session
  Source Ports :
  Both : Fa3/3
  Destination Ports : Fa3/2
  SP console:
  Router-sp#test monitor session 1 show
  Ingress Source Ports: 3/3 15/1
  Egress Source Ports: 3/3
  Ingress Source Vlans:
  Egress Source Vlans:
  Filter Vlans:
  Destination Ports: 3/2
  To remove the inband span from sp do test monitor session 1 del and from the rp do no mon sess all
  ===============================
  So my exact issue was two parts, CPU spike up 99% when WCCP was enabled with MPLS tag switching at the same time. Rebooting didnt help... I ended up changing from SXF10 to SXF14 IOS just in case but I still had high CPU after upgrade. But the major difference was when I removed the ACL tied to WCCP and removing the ACL completely and re-pasting into the configs for WAAS and then reapplying. But in my sniffer capture I did notice a lot of ip fragmentation hitting the MSFC processor. Now my MTU is 1522 and works fine.

• With MPLS - No Fragmantation with MTU Size 1501-1504

  Ping with MTU 1500 and 1505 is OK.
  Ping with MTU 1501-1504 doesn?t work - there is no fragmantation done.
  This occures on a Cisco7200 and Cisco7500 where traffic is sended via a labeld switch path: MTU-Size from the Fast/Gig Eth-Interface is set to 1500. With no MPLS "no mpls ip" everthing works fine.
  Does anyone have a solution for this?
  Thanks and Regards
  Erich

  Hello,
  did you configure "mpls mtu 1512" on all MPLS enabled interfaces? F.e.:
  interface FastEthernet0/0/0
  mpls mtu 1512
  This would allow for as much as 3 labels.
  There is no fragmentation for labeled packets, only for IP. So this could be a software/hardware bug as well.
  Hope this helps! Please rate all posts.
  Regards, Martin

• MTU Size Issue on Cisco 3560 Switch

  Could anybody tell me how to change MTU Size on a Cisco 3560 Switch.i mean to say whether it is to be changed on FastEthernet Interfaces or on VLAN 1 or on Global Configuration Mode and with which Command to change it.

  I am using MPLS on my Routers and the MTU size i have set on my Router Interfaces is 1524.
  When i do a normal ping from Customer's one site to another (where my Traffic has to pass through this Switch VLAN)i get a reply , but when a Ping with a Byte Size of 1500 or more the Packets get completely dropped.
  I think due to MTU Mistach bet. Switch and Router the Packets r getting droped,that is why i was trying to change it.
  could the Packets get dropped because of this reason.Please suggest.

• How do you change the MTU size in a Cisco 871?

  This 871 is at a remote site and is an ezvpn IPsec client (network extension mode) back to a 3030 headend.
  We're having problems with a PC trying to connect through the IPsec tunnel and we think it may be an MTU size problem.
  Int F4 is the outside interface.
  We are using a virtual-template associated with the crypto ipsec client ezvpn statement.
  When I go into any of the 871 interfaces and type 'mtu 1370' it errors out with 'The F4 (or whatever interface) does not allow manual MTU size configuration.
  If I type 'ip mtu 1370' on F4 (or vlan1 or virtual-template 1) this is accepted, but when I do a 'show int f 4', it still shows MTU of 1514 - even after a reload.
  What is the correct way to set the MTU size in the 871 router - and is it best set on the F4 interface, the vlan, or the virtual-template interface?

  Hi
  As per the supporting doc Cisco 871 has one want ethernet interface and 2 switch ports.
  I feel you are trying to change the mtu under the switch port which may not be possible.
  You can refer the below link for more info..
  http://www.cisco.com/en/US/products/hw/routers/ps380/products_data_sheet0900aecd8028a976.html
  regds

• How do you change the mtu size

  i recently bought a WRT54G wireless router and i have my desktop directly hooked up (not wireless) and every time i go to play games or surf the net it has some pretty severe lag spikes. i have done some searching and i see something about changing the MTU to a certain amount but i have no idea what that is or how to change it. so if u have any suggestions for me that would be appreciated

  connect a computer to the router's port#1 and access the router using http://192.168.1.1 . the default password is admin
  on the ui , under the " basic setup " subtab , you have an option to change the MTU size..by default the MTU is disabled...change it to enable and change the MTU size as required...

• IP-Fast Reroute with MPLS remote LFA tunnels

  I have a simple ring network with 4 3600Xs with IP/MPLS 10 gig backbone between all units (with OSPF running in the core).  Per the 3600 design guide I turned on IPFRR under OSPF for fast reroute of traffic around faults.  I have a l3vpn on the 3600s that I'm using to test.  The FRR works quite well when the repair route is a ECMP (equal cost multipath) route, I don't even notice an interruption in ping between l3vpn sites when an 'active' link goes down.
  The issue arises when the repair route is a remote-LFA (loop free alternative) MPLS tunnel.  I've done a few tests, and the failover time when the repair route is a remote LFA tunnel is the same as when FRR isn't turned on at all, it's just the normal route convergence time and there is a significant traffic interruption (as compared to FRR when an ECMP route is the repair route).
  The thing is I'm not quite sure how even to diagnose this.  I was thinking that maybe the remote FLA tunnel was using the link that failed, so it in essence was 'down' as well, hence the traffic interruption as routing fully converged.  But I looked at the remote-LFA interfaces, and as much as I understand them they are taking the right path out of the router anyway (that is, away from the link that would fail in order to activate the remote-LFA route).
  Are there any resources or tips to help troubleshoot why these remote-LFA tunnel repair routes don't seem to be working well?

  Thanks for the reply Nagendra.  When you ask if I've seen the back path installed in RIB/FIB, I'm not exactly sure what you mean.  I do see repair paths referncing remote LFAs on both the 3600 that would be the source and the destination of the test traffic.  Like this:
    * 172.16.0.3, from 10.10.10.3, 01:55:50 ago, via TenGigabitEthernet0/2
        Route metric is 2, traffic share count is 1
        Repair Path: 10.10.10.4, via MPLS-Remote-Lfa40
  and on the other router:
    * 172.16.0.2, from 10.10.10.1, 01:56:34 ago, via TenGigabitEthernet0/1
        Route metric is 2, traffic share count is 1
        Repair Path: 10.10.10.2, via MPLS-Remote-Lfa32
  If you're looking for some specific command output, let me know.

• MPLS MTU size

  Hello,
  Please correct me if I am wrong. The MPLS MTU size is 1518 to 1520 and the normal MTU size is 1500, So does it means that while configuring the MPLS network on the Switches attached with the MPLS CE router we MUST have to configure the MTU size to 1520 or not.
  Please confirm

  MPLS is not configured between the CE and the PE. So if your IP mtu is 1500 then the switch between the CE and PE needs to support 1500 only.
  The mpls mtu needs to be configured in the core where ethernet switches are used.
  Hope this helps,

• MPLS TE Fast ReRoute

  Hi Experts,
  I'm just getting started with MPLS TE and wondering on how fast the "fast reroute" feature can be.
  I'm planning to create two tunnels for a specific traffic of my network, and looks like MPLS TE with FRR is the most reliable option if we are talking about a really 0% packet loss network.
  I saw on some documentations that with MPLS TE is possible to reroute the traffic with 50 ms of RTT  and no packet loss at all, considering that the backup tunnel is so reliable as the primary is.
  Is this true? I'm new on this subject so I would like to know more about what I could achieve in terms of high availability.
  Regards
  Paulo Varanda

  Hi,
  Yes MPLS-TE with FRR gives faster convergence in range of 50ms (usually 50ms is standard convergence time for SDH/Sonet network). But there are some pre-requisities for MPLS-TE FRR to provide that faster convergence.
  Tunnel Headend -- Router 1 --- Router 2 ---- Router 3--- Tunnel Tailend
                          -- Router 4 ---- Router 5----
  MPLS-TE FRR protects a particular link or a particular node.
  For link protection, the concept is to have a primary tunnel protected by a backup tunnel. The backup tunnel path should be on completely different and fault tolerant physical path when the primary tunnel path fails i.e. both the tunnels should not be in same SRLG links. In the above case if link between Router1-Router2-Router3 fails the tunnel should fallback over Router 4 and Router 5.
  Detecting the link or node goes down should require a keepalive mechanism, usually RSVP hellos are used to detect the failure.
  Node protection by default provides link protection. So when Router 2 goes down the traffic falls back over backup path.
  MPLS-TE FRR wokrs by pre-signalling LSP over both primary and secondary paths even before the failure occurs. In normal conditions (with multiple path-option), only when primary LSP on primary path goes down, LSP gets signalled over secondary path option.
  HTH
  Arun

• MPLS TE Fast-Reroute question?

  Hi:
  I am trying to configure the mpls te fast-reroute command but the router complains!!
  I am running 12.4 Enterprise on a 3640.
  Does this only work on a 7200 and up?
  Thanks.

  Niraj,
  The 3640 doesn't support FRR. It does support traffic engineering but can not be used as the Point of Local Repair (PLR) router, which is the router where the backup tunnel is configured.
  Hope this helps,

• Infiniband Mellanox MTU size change

  Hello to all.
  I am new to Solaris and know nothing about its administration tools.
  We are willing to test Infiniband and need to change MTU of the adapter (Mellanox) to 4K (which is the default configu for our subnet manager).
  Which command should be used to archieve the task ?
  Next we need to configure an SRP target. Any specific howto ?
  Thanks in advance for your kind reply

  Thank you for your reply, Darren.
  As per my test, ifconfig will work for the IPoIB (when creating a derivative interface to run IP over infiniband).
  Actually the driver is installed, link comes up, fabric negotiates 2048 MTU and no interface is available to configure for IPoIB since I did not create it.
  Ifconfig lists only the gigabit eth nic, since no ib0 card is defined (only ib device in /proc).
  I am not going to run IP over Infiniband, al least not for storage access, since poses a huge penalty in performance.
  To configure the device MTU (not the virtual ethernet over infiniband MTU) I think must be done at driver level, using something related to the low level adapter
  •cfgadm_ib(1M) - InfiniBand hardware-specific commands for cfgadm
  •datadm(1M) - maintain DAT static registry file
  •ifconfig(1M) - configure network interface parameters
  •libdat(3LIB) - direct access transport library
  •ib(4) - InfiniBand device driver configuration files
  •ibmf(7) - InfiniBand Management Transport Framework
  •daplt(7D) - Tavor uDAPL service driver
  •ib(7D) - InfiniBand Bus Nexus Driver
  •ibcm(7D) - InfiniBand Communication Manager
  •ibd(7D) - Infiniband IPoIB device driver
  •ibdm(7D) - Solaris InfiniBand device manager
  •tavor(7D) - InfiniBand (IB) Tavor driver
  I guess it wil be cfgadm, but do not know syntax and parameters.
  In vmware, using Mellanox tools, you issue esxcfg-module -s "port_type_default=1 set_4k_mtu=1" mlx4_en, where mlx4_en is the kernel module.
  How to achieve this with Solaris ?
  As per the SRP question, if Solaris supports COMSTAR it should support SRP target mode, right ?
  Thank for sharing your thoughts.

• How to change the size of Bex Variable screen?.

  Hi Experts,
  Can we able to change the size/font of the Bex query variable screen?. I have a requirement where lot of variables used but query variable screen is not showing up all the variables including the 'execute,cancel, check' menu buttons.
  Is there any way, I can customize the screen?.
  Your fast response help is appreciated.
  Thanks in advance
  Viswa

  Dear friends,
  Problem solved. Actually, there is an inner scroll bar to fix this problem.

• MTU Size Problem Loading Certain Webpages

  Hello Colleagues,
  I'm having a strange problem dealing with MTU sizes and loading certain webpages. I am aware of the default Microsoft MTU of 1500 and also using GRE IPSEC Tunnels recommended at MTU size 1400. I have since manually set some users PC's to MTU of 1400 and most of those users are experiencing no issues. However, there are a few users who still experience website loading issues even though I have manually changed their MTU size to 1400.
  These are domain accounts will the same image loads on their machines, so all have the same permissions, rights, firewall settings, etc. They all use the same LAN, switches, and routers.
  Here are the router configs, router 1 and router 2
  Router 1
  Current configuration : 9006 bytes
  version 15.3
  no service pad
  service timestamps debug datetime msec localtime
  service timestamps log datetime msec localtime
  service password-encryption
  hostname R-US-RS-WVPN1
  boot-start-marker
  boot system flash:c1900-universalk9-mz.SPA.153-1.T1.bin
  boot system flash:c1900-universalk9-mz.SPA.151-3.T1.bin
  boot-end-marker
  logging buffered 64000
  enable secret 5 *removed*
  no aaa new-model
  clock timezone CET 1 0
  clock summer-time CET recurring last Sun Mar 2:00 last Sun Oct 3:00
  errdisable recovery cause udld
  errdisable recovery cause bpduguard
  errdisable recovery cause rootguard
  errdisable recovery cause pagp-flap
  errdisable recovery cause dtp-flap
  errdisable recovery cause link-flap
  errdisable recovery interval 303
  ip cef
  ip domain name corp.com
  ip name-server 10.###.8.21
  ip name-server 10.###.8.96
  ip inspect dns-timeout 90
  ip inspect tcp idle-time 60
  ip inspect name fw smtp timeout 120
  ip inspect name fw ftp timeout 120
  ip inspect name fw realaudio
  ip inspect name fw tftp timeout 30
  ip inspect name fw udp timeout 30
  ip inspect name fw tcp timeout 60
  no ipv6 cef
  multilink bundle-name authenticated
  crypto pki trustpoint TP-self-signed-316595902
  enrollment selfsigned
  subject-name cn=IOS-Self-Signed-Certificate-316595902
  revocation-check none
  rsakeypair TP-self-signed-316595902
  crypto pki certificate chain TP-self-signed-316595902
  certificate self-signed 01
    *removed*
          quit
  license udi pid CISCO1921/K9 sn FTX153182M8
  spanning-tree vlan 229 priority 8192
  redundancy
  ip ssh version 2
  crypto isakmp policy 10
  hash md5
  authentication pre-share
  lifetime 3600
  crypto isakmp key *removed* address 70.###.172.142
  crypto isakmp key *removed* address 184.###.###.254
  crypto isakmp keepalive 35 11
  crypto ipsec transform-set FY-WVPN-Tunnel esp-aes esp-md5-hmac
  mode tunnel
  crypto map vpn 10 ipsec-isakmp
  set peer 70.###.172.142
  set peer 184.###.###.254
  set transform-set FY-WVPN-Tunnel
  match address gre-tunnel-list
  interface Loopback0
  ip address 10.###.0.10 255.255.255.255
  interface Tunnel2291
  description Primary-TimewarnerTelecom-Ral-FayWVPN1
  ip address 10.###.99.26 255.255.255.252
  no ip redirects
  cdp enable
  tunnel source 66.###.161.126
  tunnel destination 184.###.###.254
  crypto map vpn
  interface Tunnel2293
  description Primary-TimewarnerTelecom-Ral-FayWVPN2
  ip address 10.###.99.154 255.255.255.252
  no ip redirects
  cdp enable
  tunnel source 66.###.161.126
  tunnel destination 70.###.172.142
  crypto map vpn
  interface Embedded-Service-Engine0/0
  no ip address
  shutdown
  interface GigabitEthernet0/0
  description TW Telecom/DMVPN1
  ip address 66.###.161.126 255.255.255.252
  ip access-group Block-Internet in
  ip access-group Block-Internet out
  duplex auto
  speed auto
  no cdp enable
  crypto map vpn
  interface GigabitEthernet0/1
  no ip address
  duplex auto
  speed auto
  interface GigabitEthernet0/0/0
  switchport access vlan 229
  no ip address
  interface GigabitEthernet0/0/1
  switchport access vlan 229
  no ip address
  interface GigabitEthernet0/0/2
  switchport access vlan 229
  no ip address
  interface GigabitEthernet0/0/3
  description PBX Eth1
  switchport access vlan 229
  no ip address
  interface Vlan1
  no ip address
  shutdown
  interface Vlan229
  ip address 10.###.229.253 255.255.255.0
  ip helper-address 10.###.231.201
  standby 229 ip 10.###.229.254
  standby 229 priority 105
  standby 229 preempt
  router eigrp 100
  network 10.0.0.0
  ip forward-protocol nd
  no ip http server
  ip http secure-server
  ip route 70.###.172.142 255.255.255.255 66.###.161.125
  ip route 184.###.###.254 255.255.255.255 66.###.161.125
  ip route 205.###.96.180 255.255.255.252 66.###.161.125
  ip access-list extended Block-Internet
  permit esp host 66.###.161.126 host 184.###.###.254
  permit esp host 184.###.###.254 host 66.###.161.126
  permit udp host 66.###.161.126 host 184.###.###.254 eq isakmp
  permit udp host 184.###.###.254 host 66.###.161.126 eq isakmp
  permit esp host 66.###.161.126 host 70.###.172.142
  permit esp host 70.###.172.142 host 66.###.161.126
  permit udp host 66.###.161.126 host 70.###.172.142 eq isakmp
  permit udp host 70.###.172.142 host 66.###.161.126 eq isakmp
  permit icmp host 66.###.161.126 host 184.###.###.254
  permit icmp host 184.###.###.254 host 66.###.161.126
  permit icmp host 66.###.161.126 host 70.###.172.142
  permit icmp host 70.###.172.142 host 66.###.161.126
  permit icmp any any echo-reply
  permit icmp any any time-exceeded
  permit icmp any any packet-too-big
  permit icmp any any traceroute
  permit icmp any any unreachable
  deny   ip any any
  deny   icmp any any
  ip access-list extended gre-tunnel-list
  permit gre host 66.###.161.126 host 184.###.###.254
  permit gre host 66.###.161.126 host 70.###.172.142
  logging host 10.100.###.254
  logging host 10.100.###.246
  snmp-server community a RW 20
  snmp-server community r RO 20
  snmp-server community a RW 20
  snmp-server community r RO 20
  snmp-server community P_RW RW
  snmp-server community P_RO RO
  snmp-server enable traps entity-sensor threshold
  snmp-server host 10.100.###.246 public
  snmp-server host 10.100.###.254 public
  access-list 20 permit 10.###.9.3
  access-list 20 permit 10.###.8.16
  access-list 20 permit 10.100.###.249
  access-list 20 permit 10.100.###.254
  access-list 20 permit 10.100.###.246
  control-plane
  banner motd ^CCCCCCC
  ****************** Warning! Warning! Warning! ********************
  This system is restricted to authorized users for business
  purposes.  Unauthorized access is a violation of the law.  This
  service may be monitored for administrative and security reasons.
  By proceeding, you consent to this monitoring
  ****************** Warning! Warning! Warning! ********************
  ^C
  line con 0
  login local
  line aux 0
  line 2
  no activation-character
  no exec
  transport preferred none
  transport input all
  transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
  stopbits 1
  line vty 0 4
  exec-timeout 60 0
  password 7 *removed*
  login local
  transport input ssh
  line vty 5 15
  exec-timeout 60 0
  password 7 *removed*
  login local
  transport input ssh
  scheduler allocate 20000 1000
  ntp server 10.###.8.8 prefer
  ntp server 10.###.231.200 prefer
  ntp server 10.###.8.69
  ntp server 10.###.1.6 prefer
  end
  Router 2
  Current configuration : 9013 bytes
  version 15.3
  no service pad
  service timestamps debug datetime msec localtime
  service timestamps log datetime msec localtime
  service password-encryption
  hostname R-US-RS-WVPN2
  boot-start-marker
  boot system flash:c1900-universalk9-mz.SPA.153-1.T1.bin
  boot system flash:c1900-universalk9-mz.SPA.151-3.T1.bin
  boot-end-marker
  logging buffered 64000
  logging console critical
  enable secret 5 *removed*
  no aaa new-model
  clock timezone CET 1 0
  clock summer-time CET recurring last Sun Mar 2:00 last Sun Oct 3:00
  errdisable recovery cause udld
  errdisable recovery cause bpduguard
  errdisable recovery cause rootguard
  errdisable recovery cause pagp-flap
  errdisable recovery cause dtp-flap
  errdisable recovery cause link-flap
  errdisable recovery interval 303
  ip cef
  ip domain name corp.mann-hummel.com
  ip name-server 10.###.8.21
  ip name-server 10.###.8.96
  ip inspect dns-timeout 90
  ip inspect tcp idle-time 60
  ip inspect name fw smtp timeout 120
  ip inspect name fw ftp timeout 120
  ip inspect name fw realaudio
  ip inspect name fw tftp timeout 30
  ip inspect name fw udp timeout 30
  ip inspect name fw tcp timeout 60
  ipv6 multicast rpf use-bgp
  no ipv6 cef
  multilink bundle-name authenticated
  crypto pki trustpoint TP-self-signed-3179596086
  enrollment selfsigned
  subject-name cn=IOS-Self-Signed-Certificate-3179596086
  revocation-check none
  rsakeypair TP-self-signed-3179596086
  crypto pki certificate chain TP-self-signed-3179596086
  certificate self-signed 01
    *removed*
          quit
  license udi pid CISCO1921/K9 sn FTX153182M2
  spanning-tree vlan 229 priority 1###84
  redundancy
  ip ssh version 2
  crypto isakmp policy 10
  hash md5
  authentication pre-share
  lifetime 3600
  crypto isakmp key *removed* address 70.###.172.142
  crypto isakmp key *removed* address 184.###.###.254
  crypto isakmp keepalive 35 11
  crypto ipsec transform-set Fay-Ral-WVPN-Tunnel esp-aes esp-md5-hmac
  mode tunnel
  crypto map vpn 10 ipsec-isakmp
  set peer 184.###.###.254
  set peer 70.###.172.142
  set transform-set Fay-Ral-WVPN-Tunnel
  match address gre-tunnel-list
  interface Loopback0
  ip address 10.###.0.12 255.255.255.255
  interface Tunnel2292
  description Failover-TimewarnerCable-Ral-Fay-WVPN2
  ip address 10.###.99.30 255.255.255.252
  no ip redirects
  cdp enable
  tunnel source 96.###.25.226
  tunnel destination 184.###.###.254
  crypto map vpn
  interface Tunnel2294
  description Failover-TimewarnerCable-Ral-Fay-WVPN2
  ip address 10.###.99.158 255.255.255.252
  no ip redirects
  cdp enable
  tunnel source 96.###.25.226
  tunnel destination 70.###.172.142
  crypto map vpn
  interface Embedded-Service-Engine0/0
  no ip address
  shutdown
  interface GigabitEthernet0/0
  description Fay-Ral WVPN
  ip address 96.###.25.226 255.255.255.252
  ip access-group Block-Internet in
  ip access-group Block-Internet out
  duplex auto
  speed auto
  no cdp enable
  crypto map vpn
  interface GigabitEthernet0/1
  no ip address
  shutdown
  duplex auto
  speed auto
  interface GigabitEthernet0/0/0
  switchport access vlan 229
  no ip address
  interface GigabitEthernet0/0/1
  switchport access vlan 229
  no ip address
  interface GigabitEthernet0/0/2
  switchport access vlan 229
  no ip address
  interface GigabitEthernet0/0/3
  description PBX Eth2
  switchport access vlan 229
  no ip address
  interface Vlan1
  no ip address
  shutdown
  interface Vlan229
  ip address 10.###.229.252 255.255.255.0
  ip helper-address 10.###.231.201
  standby 229 ip 10.###.229.254
  standby 229 preempt
  router eigrp 100
  network 10.0.0.0
  ip forward-protocol nd
  no ip http server
  ip http secure-server
  ip route 70.###.172.142 255.255.255.255 96.###.25.225
  ip route 184.###.###.254 255.255.255.255 96.###.25.225
  ip route 205.###.96.180 255.255.255.252 66.###.161.125
  ip access-list extended Block-Internet
  permit esp host 96.###.25.226 host 184.###.###.254
  permit esp host 184.###.###.254 host 96.###.25.226
  permit udp host 96.###.25.226 host 184.###.###.254 eq isakmp
  permit udp host 184.###.###.254 host 96.###.25.226 eq isakmp
  permit esp host 96.###.25.226 host 70.###.172.142
  permit esp host 70.###.172.142 host 96.###.25.226
  permit udp host 96.###.25.226 host 70.###.172.142 eq isakmp
  permit udp host 70.###.172.142 host 96.###.25.226 eq isakmp
  permit icmp host 96.###.25.226 host 184.###.###.254
  permit icmp host 184.###.###.254 host 96.###.25.226
  permit icmp host 96.###.25.226 host 70.###.172.142
  permit icmp host 70.###.172.142 host 96.###.25.226
  permit icmp any any echo-reply
  permit icmp any any time-exceeded
  permit icmp any any packet-too-big
  permit icmp any any traceroute
  permit icmp any any unreachable
  deny   ip any any
  deny   icmp any any
  ip access-list extended gre-tunnel-list
  permit gre host 96.###.25.226 host 184.###.###.254
  permit gre host 96.###.25.226 host 70.###.172.142
  logging host 10.100.###.254
  logging host 10.100.###.246
  snmp-server community P_RW RW
  snmp-server community P_RO RO
  snmp-server community a RW 20
  snmp-server community r RO 20
  snmp-server community a RW 20
  snmp-server community r RO 20
  snmp-server enable traps entity-sensor threshold
  snmp-server host 10.100.###.246 public
  snmp-server host 10.100.###.254 public
  access-list 20 permit 10.###.9.3
  access-list 20 permit 10.###.8.16
  access-list 20 permit 10.100.###.249
  access-list 20 permit 10.100.###.254
  access-list 20 permit 10.100.###.246
  control-plane
  banner motd ^CCCCCC
  ****************** Warning! Warning! Warning! ********************
  This system is restricted to authorized users for business
  purposes.  Unauthorized access is a violation of the law.  This
  service may be monitored for administrative and security reasons.
  By proceeding, you consent to this monitoring
  ****************** Warning! Warning! Warning! ********************
  ^C
  line con 0
  login local
  line aux 0
  line 2
  no activation-character
  no exec
  transport preferred none
  transport input all
  transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
  stopbits 1
  line vty 0 4
  exec-timeout 60 0
  password 7 *removed*
  login local
  transport input ssh
  line vty 5 15
  exec-timeout 60 0
  password 7 *removed*
  login local
  transport input ssh
  scheduler allocate 20000 1000
  ntp server 10.###.8.8 prefer
  ntp server 10.###.231.200 prefer
  ntp server 10.###.8.69
  ntp server 10.###.1.6 prefer
  end

  UPDATE
  I have since applied the following config to the tunnel interfaces:
  ip mtu 1400
  ip tcp adjust-mss 1400
  tunnel path-mtu-discovery
  This worked and I was able to reset each users PC to default MTU size of 1500, but only until just now. I got a call from a user who explained that he wasn't able to reach some websites, again.
  Sure enough, I've just confirmed that all of the users are unable to access the websites any longer.
  This is crazy, does anyone have any ideas?