I don't think this will resolve the issue. If you use this command then no path MTU is performed and the DF bit in the IPSec header is set to 0 and packet is fragmented if required. The default behavior is to copy the DF bit from the IP packet to the IPSec header and by default routers do not set DF bit that means its already 0. you router is already performing fragmentation.
1. Either decrease the mtu and mss on your tunnel interface.
Router(config)# interface tunnel 1
Router(config-if)# ip tcp adjust-mss 1360
Router(config-if)# ip mtu 1400
2. Or you can use "crypto ipsec fragmentation before-encryption"
The Pre-fragmentation for IPsec VPNs feature increases the decrypting router's performance by enabling it to operate in the high-performance CEF path instead of the process path. If the routers are performing fragmentation on behalf of the source node, it may be desirable to have the encryption performed prior to encryption. This prevents the destination tunnel router from having to reassemble the fragments and then perform the decryption.It will reduce the CPU overhead.
2. Errors should not increment. Check your config if these errors increment.
Also try to debug your ipsec sa to see what is causing these errors.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...