I had a similar problem and posted a similar question a few days ago.
What i discovered is that when pc's log on to a windwows domain over a wan connection (whether or not it is a vpn connection) it uses kerberos with UDP to authenticate to the server. However the udp packets may exceed the mtu.
It also pings the sverer with an icmp packet of 2048 bytes. When it receives a reply to the packet it does a calculation based on the size of the packet and the response time in order to determine whether the pc is logging on over a slow link.
Kerberos causes problems with the logon time which for me was between 10-15 minutes. The ping causes group policies to not be applied.
I had to make the necessary MaxPAcketSize change.This allowed me to logon quicker but group policies were not applying.
Both of these issues indicated a fragmentation problem. So i suggest do the following:
1) Allow icmp on all interface on both pix's
2) run a debug icmp trace on both firewalls
3) ping an internet host, such as www.go.com with the following command ping -f -l 1472, if this works it means the lowest mtu between you and www.go.com is 1500. Then try a higher value, you should receive a "Fragmentation required but DF flag set". This tests whether PMTU is able to discover MTU's properly. If this is successful go to step 4
4) From one side of the tunnel ping a pc on the other side with the following command. ping -l 2048
If you get a reply, there isn't a fragmentation problem. However if you get a "Reuest timed out" like i did then it indicates the firewall is not hadnling large packets properly.
My resolution was to set the MTU of the outside interfaces of both pix's to 1492, Pings work now, logons work, my client is happy but i am waiting for a response to my post to find out WHY??
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...