Well, to get to the bottom the issue, we would need the show-tech of the device. If not the complete one then just the show-version and details of show interface and VPN relevant configuration.
Possibly you can try the following and check if the issue gets resolved.
Configure "crypto ipsec df-bit clear" and re-configure
Also, configure "ip mtu 1400" under the tunnel interfaces:
int tun X
ip mtu 1400
crypto ipsec df-bit [clear | set | copy]
Router(config)# crypto ipsec df-hit set
Sets the DF bit for the encapsulating header in tunnel mode for all interfaces.
* The clear keyword clears the DF bit in the outer IP header, and the router may
fragment the packet to add the IP Security (IPSec) encapsulation.
* The set keyword sets the DF bit in the outer IP header, however, the router may
fragment the packet if the original packet had the DF bit cleared.
* The copy keyword has the router look in the original packet for the outer DF bit
setting. The copy keyword is the default setting.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...