We have a couple of 5540s (running 8.0(4) that we use only for remote access (client-to-site) VPNs.
In the logs we regularly get some entries similar the following:
2009-02-16 11:59:39 UTC Local3.Info x.x.x.x Feb 16 2009 11:59:39: %ASA-6-602101: PMTU-D packet 1420 bytes greater than effective mtu 1362, dest_addr=a.a.a.a, src_addr=b.b.b.b, prot=TCP
2009-02-16 11:59:48 UTC Local3.Info x.x.x.x Feb 16 2009 11:59:48: %ASA-6-602101: PMTU-D packet 1500 bytes greater than effective mtu 1426, dest_addr=c.c.c.c, src_addr=d.d.d.d, prot=ICMP
When we capture ICMP traffic, we can also see messages that indicate that packets are dropped because DF-bit is set, but fragmentation is required.
Currently we use the default fragmentation settings, but are planning to configure the parameters below fix the user problems:
mtu inside 1500 (default)
mtu outside 1380
sysopt connection tcpmss 1300
sysopt connection tcpmss minimum 0 (default)
crypto ipsec df-bit clear-df outside
crypto ipsec df-bit copy-df inside (default)
crypto ipsec fragmentation before-encryption outside (default)
crypto ipsec fragmentation before-encryption inside (default)
I would appreciate your feedback regarding these settings and any other recommendations!
Thanks in advance for your help!