I'm baffled by this one. I found that the SA520 does not seem to be able to be able to reassemble fragmented packets. I have 2 sites and I setup a site-to-site IPSEC link. The problem started that small packets less than 1409 bytes could be transmitted across the link, but not larger ones. This caused problems and caused me to do more testing. I found that even when pinging the LAN IP from a local computer, I couldn't ping larger than 1472, which I expect if I set the NoFragment bit. But if I don't set the NoFragment bit, why can't it reassemble the 2 packets from a 1475 byte ping?
I did a packet trace (from the SA520's UI) and looked at the .CAP file with WireShark. I see the 2 fragments for each ping request (the first one, and then the 3 extra bytes, totaling 1475 bytes) and then nothing else until exactly 30 seconds later. At that time I get a ping response of "Type: 11 (Time-to-live exceeded)" with a code of "Code: 1 (Fragment reassembly time exceeded)".
So, it seems that the SA520 doesn't think it got all the packets, or it just refused to put them back together. I get roughly the same results pinging the SA520 on the other side of the IPSEC link. (which right now is a cable connecting the 2 together in my lab)
This seems like a bug to me, but I can't believe no one else has had any problem like this. Anyone?