I'll try to answer your questions as best as possible:
1) This should show you if there were any fragmented packets. show ip traf | i Frag
2) No, you don't need to, as it is not reliable all the time unless you're allowing ICMP packet-too-big all through. DF-bit will need to be set to 1 as well for PMTUD to work.
3) ip tcp adjust-mss should be used on the inside interface
4) You shouldn't use this - this was done when the crypto ipsec df-bit clear command was not available
5) When path-mtu-discovery is not possible, but its always best to set this and not to pmtud. Value may vary, but 1400-1420 works best. It depends on the the type of encryption etc.
6)How do you know its getting fragmented? You can run "debug ip packet detail" with an access-list for the src/dst traffic and see if there are any fragments.
7) If you want to clear the df-bit, if you see packets getting dropped due to them being too big, and not being allowed to fragment. Ideally, with TCP traffic you want to use tcp adjust-mss so you don't have to clear the df-bit and the MSS is negotiated during the 3-way handshake.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...