PPPoE is 8 bytes. 

1506 - 14 L2 header = 1492 

1492 - 1428 = 64.  Same test ran with MX18 will give you 68 bytes.  

4 Bytes increase in ESP seems like an upgrade from SHA1 to SHA256. I'm asking support confirmation on how and why he confirmed that the ESP overhead has changed. 

I asked over a year ago, and they told me 68 bytes. I dont remember if it was 15 or 16 firmware back then. Did you also test on 16.x?

Trying to pin that firmware on my test setup ! I also asked support if it is since MX18 or since our upgrade ( big jump from 15 -> 18 )

From support : 

Yes this is expected for MX18+

I do not currently have the exact details for why the overhead has increased, but we have made improvements to the VPN design that have resulted in this overhead. There should be no expectation that this will ever return to the previous overhead size in firmware versions greater than MX18

Still chasing in which firmware version this was changed.

I is 4 bytes lower on MX16.

What are you experiencing ?

Our biometric devices in different sites cannot sync to our main office server since we are using AutoVPN. When the support from meraki identified that biometric devices send above the MTU (i think around 1500bytes). They stop replying on the case and left the ticket open.

Thanks for your reply.

Is it over UDP or TCP ?

The MX should have done IP fragmentation. 

its over TCP. 

They just inform us that the header DF is set to 1. Unfortunately we don't have idea where to change any settings since its only a biometrics.

Some of our sites works fine, I can ping other vpn subnet with 1500 bytes and those biometric devices sync with the server. But some of sites are dropping the packets from the biometric.

Mmmm.... take a packet capture , you will see that the TCP 3WAY handshake contains the MSS ( Maximum segment size for TCP ). It will be  AutoVPN MTU - 40.  

1500-68-40 = 1392 ( if you WAN MTU is 1500 all across your AutoVPN domain ) it might be lower. 

That means that the client is aware that it cannot send over 1392 bytes to the destination over VPN.

Yes, the client device is aware that it cannot send over 1392 bytes, but based on the packet capture the device still keep trying to send around 1500 bytes multiple times. Then we will get a timeout error. Currently we don't have any idea what to do 😄 😄 😄

if the client is not honoring the MSS recevied then it is not a meraki issue. I could contact the vendor with the appropriate pcaps.  

However , I have never seen a IP stack behaving like that,  so I have some doubts.

When i tried to ping the spoke MX with 1500bytes it gives the packet fragmentation message w/c is expected. But when i tried around 1399 up to around 1450 bytes, it just timed out.

Edit: 1398 works but not 1400 is timed out

Edit: I have 2 different spokes MX here with different behavior when i ping with 1500bytes

I don't think that MX is informing the client device that the packet needs to be fragmented.

Because there is no fragmentation happening.  1392 + 68 + 40 = 1500.

Is that mean the MX just drop the packet? Thanks

Why would  it ? The payload size received is smaller or equal to it's WAN / AutoVPN MTU

As per meraki support the packet is not received in the other side of vpn. So we don't have any idea.

Take a packet capture on the spoke and the hub , you will see if the packet is received or not. 

Does your WAN support 1500 bytes MTU ? On both side

Yes, both WAN of hub and spoke support 1500 bytes