Packet drops with Remote Content Inspection with IDS over L3

[Santosh Sahu]

Hello everyone, 
I am following this doc to send unencrypted data to IDS over a L3 ip tunnel.
https://docs.netscaler.com/en-us/citrix-adc/current-release/content-inspection/intrusion-detection-system-for-l3

However, I see that IDS device does not receive some of the packets. On further debugging, the packets which were dropped at netscaler are of size >=1460 (MSS set on NetScaler). 
Idealy, NetScaler should forward the packets to IDS as it is adding addditional 20 bytes for IpTunnel. So If client or server packets are of 1460 bytes, then either NS should forward a packet of 1480 bytes to IDS device, or it should break it into two packets(when dropFrag is disabled in global iptunels param).

Is there any additional config which I am missing?

[Rick Davis]

Correct, the device is able fragment when needed.  In addition to dropFrag parameter, the dropFragCpuThreshold is another global parameter defined in iptunnelparam to check.  It temporarily disables fragmentation during configurable high CPU utilization levels.  By default it is disabled, but if enabled it could certainly account for your situation. 

Please verify you are running the latest supportable code versions. 

[Santosh Sahu]

Thanks Rick for the reply. 
Both params are disabled and at default settings.  I am running NS13.1 52.19.
I could rectify half of the problem by setting server side MSS in tcp profile to a 20 byte lower value (i.e 1440) . Now I can see packets from server to NS getting mirrored without drops. But the packets from NS to server are still dropping.

I took a tcpdump on server, where I could see that server to NS packets are using MSS of 1440 while NS to server packets are still using 1460 bytes.
I can see Netscaler advertising MSS of 1440 in syn packet and server advertising MSS of 1460.  
Looks like NetScaler is not honouring MSS while sending out the packets.

Attaching the pcap captured at server.

server.pcap