Abnormal UDP service access in SDWAN scenario

The site is a standard SDWAN scenario

In an SD-WAN scenario, the TTE and BGP neighbor relationships between the headquarters and branch are successfully established, but UDP service access is abnormal. Large packets pinged from the headquarters to the branch fail. Capturing on-site service packets reveals that UDP packets are set to non-fragmentable. The standard approach in this scenario is to increase the tunnel MTU, allowing service packets to enter the tunnel and fragment at the physical interface. However, after modifying the tunnel MTU to 1600, the issue persists.

The reason is that the device used on-site is an SR660-M device, and ESPA card encryption is also employed. The ESPA card has restrictions requiring that the tunnel MTU must not exceed the interface MTU. On-site, the interface MTU is 1500, while the tunnel MTU is 1600. This triggers the ESPA card restriction, resulting in traffic forwarding failure.

For devices with an espa card, the tunnel MTU cannot be modified. You need to set the interface MTU of the device along the path to 1600. For headquarters and branch devices, the tunnel MTU can be automatically calculated based on the interface MTU plus IPsec encryption. After modifying the interface MTU, business communication will function normally.