Could someone point out an advantage/disadvantage of either of these two approaches to deal with mtu path discovery issues. (1) The first one is to allow the 'packet needs to be frag'd but df set' through the use of an acl. (2) The second is done through setting the outside interface to the same as my vpn tunnel (1440), and leaving the inside at the standard ethernet 1500 mtu. here is my config on my pix.
=MTU testing====================
access-list MTU-TEST remark MTU-PATH Discovery
access-list MTU-TEST permit icmp 172.x.0.0 255.255.0.0 any unreachable
access-list MTU-TEST permit icmp 172.x.0.0 255.255.0.0 any unreachable
access-list MTU-TEST remark Permit inbound ping response (and traceroute)
access-list MTU-TEST permit icmp any any echo-reply
access-group MTU-TEST in interface outside
======MTU setting on interface ========
access-list MTU-1440-OUTSIDE remark MTU-PATH Discovery
access-list MTU-1440-OUTSIDE remark Permit inbound ping response (and traceroute)
access-list MTU-1440-OUTSIDE permit icmp any any echo-reply
access-group MTU-1440-OUTSIDE in interface outside
mtu outside 1440