MSS Clamping and bad cksum errors

dew67

I am currently running 2.1.4-RELEASE (amd64) .

I have a number of IPSec tunnels running without any apparent problems. The latest tunnel I set up is giving me performance problems on file transfers. At first file transfers would just hang.  I enabled MSS Clamping and that problem went away.  But I am continuing to see bad cksum errors in a packet trace on the IPSec interface.

11:54:38.092726 (authentic,confidential): SPI 0x03571ab8: (tos 0x0, ttl 198, id 571, offset 0, flags [none], proto TCP (6), length 1440)
    172.20.20.36.48055 > 10.70.94.3.57728: Flags [.], cksum 0x92ad (correct), seq 65528:66928, ack 1, win 24576, length 1400
11:54:38.092873 (authentic,confidential): SPI 0x7d3c0052: (tos 0x0, ttl 199, id 847, offset 0, flags [none], proto TCP (6), length 40, bad cksum c6ff (->c7ff)!)
    10.70.94.3.57728 > 172.20.20.36.48055: Flags [.], cksum 0xc82b (correct), seq 1, ack 62728, win 24576, length 0
11:54:38.092946 (authentic,confidential): SPI 0x7d3c0052: (tos 0x0, ttl 199, id 848, offset 0, flags [none], proto TCP (6), length 40, bad cksum c6fe (->c7fe)!)
    10.70.94.3.57728 > 172.20.20.36.48055: Flags [.], cksum 0xc2b3 (correct), seq 1, ack 64128, win 24576, length 0
11:54:38.093176 (authentic,confidential): SPI 0x7d3c0052: (tos 0x0, ttl 199, id 849, offset 0, flags [none], proto TCP (6), length 40, bad cksum c6fd (->c7fd)!)
    10.70.94.3.57728 > 172.20.20.36.48055: Flags [.], cksum 0xbd3b (correct), seq 1, ack 65528, win 24576, length 0

The checksum error is always off by exactly 0x100.  Another post indicated enabling MSS Clamping would eliminate the errror:    https://forum.pfsense.org/index.php?topic=42695.msg220533#msg220533

I think throughput should be better on this particular tunnel and the cksum errors concern me.

I experimented with different MSS Clamping MTU sizes and don't see any change. Does the tunnel have to be stopped and restarted to pick up the new value?

Any other recommendations?