Change the MTU value with the one obtained with the previous test. For example, if the Gateway is configured on the loopback interface set with 1450B MTU, this will be the starting value we'll be deducting from to calculate the final MTU for a particular formed GlobalProtect tunnel (in this case 1450 - 80 1370). I commonly recommend setting this value on the client if a majority of the traffic at say a remote office is going to traverse the tunnel. To set up the new MTU value, you can go under Network Interfaces, select the WAN interface from which the VPN traffic is going through and: Navigate to Advanced t ab. Attempt to use the VPN or set up the VPN tunnel and note the debug output. You can use the diagnose vpn tunnel list command to troubleshoot this. A 1500 byte MTU is going to exceed the overhead of the ESP-header, including the additional ipheader,etc. In other words when you are trying to min-max bandwidth over tunnels. Check IPsec VPN Maximum Transmission Unit (MTU) size. Slowing down the process and increasing resource utilization greatly.
See Encryption domains for policy-based tunnels for full details. In IPv4 the router is responsible to handle fragmentaiton. The Oracle VPN headends use route-based tunnels, but can work with policy-based tunnels with some caveats. Even if you correctly set the MTU and TCP MSS values you can end up having fragmentation at the layer 3 boundary in my examples case that would be the router. Like I say in the other post you may also find a performance boost by setting the clients MTUs when using IPv4. to rule out where the problem lies ping test was done with packet size of 549 which comes with request time out, but traffic leaves the firewall and anything below 549 is ping able, the default mtu set is 1500.
Cisco recommends IPSec GRE tunnels to be set to 1400 for layer 3 MTU and 1360 for TCP MSS (or just clamp-tcp-mss in the tunnel configuration option on MikroTik). Hello friends, just got stuck with an issue where users are reporting sync issue between tunnels however, i do not see any drops on firewall at all. That said MTU size can vary when you add IPSec into the mix. Here are the link to 2 posts I did very recently regarding MTU. I'd look at using a GRE or IPIP tunnel wrapped in IPSec and setting a layer 3 MTU personally. The clamp-tcp-mss won't fix all of your problems.