got the solution from another co-worker so sharing:
The "bigmss (MTU) fixup" is used when VPN is not connecting from hosts behind a MSB firewall. Symptoms are:
- no ISAKMP return traffic seen by the client
- the "test" rule allowing ISAKMP inbound increments, indicating the return traffic made it to the firewall outside interface
- no login prompt (popup window)
To resolve do the below in sequence and when complete have the connection tested. The VPN login prompt (popup window) should now be seen. This works with many to one NAT or one to one NAT
1) acl for fixup
access-list tcp_norm line 5 extended permit tcp any any
2) class maps
parameter-map type connection TCPMAP
exceed-mss allow
exit
class-map match-all cmTCPNORM
2 match access-list tcp_norm
exit
3) policy map
policy-map multi-match bigmss
class cmTCPNORM
connection advanced-options TCPMAP
exit
exit
4) apply the policy map to both the external and internal interfaces
interface internal
service-policy input bigmss
exit
interface external
service-policy input bigmss
exit
exit
Ensure you save the policy