We are attempting to troubleshoot a VPN tunnel problem - symptom being that the receiver is seeing out of order packets (not unusual, I think) and missing packets. The receiver suspects a black hole router somewhere between our Concentrator and his network. Cisco says it sounds like a packet size issue and recommends setting the fragmentation option to "Fragment prior to IPsec encapsulation with Path MTU Discovery (ICMP)".
I am a novice at this and am wondering if it's better to set the fragmentation option as recommended or lower the MTU setting on the concentrator. It seems from what I've read at various sites that the PMTUD option depends on routers between me and the receiver properly handling that request.
I will add that the missing packet issue is intermittent. The same bundle of data may fail due to a missing packet and then turn around and immediately work when the receiver re-requests the same data.