The configs are on secret devices so it would take some time to get them posted after screening but possible if you need them.

I can answer any questions you would like to ask.

If I send a df-bit ping from one end to the other it fragments after 1424.

Is that what you mean?

Thanks for your reply

yes that is the way to test or configure as below

ip mtu 1400

ip tcp-adjust mss 1360

do you recommend I change the mtu of the cypher/plan text devices?

my physical encryption devices have a space for mtu size as well. Do you recommend I change them also? they are at 1500 by default.

The routers do not have ipsec on the tunnels if I understand you correctly. they are just encapsulating.

I have another question. If I'm suspecting my tunnels are fragmenting the traffic in a bad way and interrupting host reach-ability, is there a test I can do to verify that? I know that I can send a df-bit from end-to-end now at 1424, how can I tell if the hosts are trying to go over that?

i've just been made aware of adding PMTUD to the tunnel interface? would that have a positive outcome?

Sorry if I am asking too much or seem ignorant. I'm one of the last members of a skeleton crew here and we are in a bind.

Thanks for all your help thus far.

Last first, no need to apologize for not knowing. That's what these forums are about. ;)

As to whether adding PMTUD to the tunnel interface will help, that's a depends answer. It helps deal with tunnel packets, themselves, needing to be fragmented along the way. Further, I recall(?) if tunnel receives packets with DF set, it informs sending host that they do need fragmentation.

In your case, I suspect you might be getting double fragmentation. It's possible your encryption device fragments packets, and the the tunnel device (your Cisco router) could fragment them again. Setting the TCP adjust-mss, on your tunnel interface, might resolve all fragmentation. In this case, you would set tunnel's(?) IP MTU to just allow for the tunnel overhead, but the TCP adjust-mss would be set to allow for both the tunnel overhead and encryption overhead (even though the latter isn't done on the router).

Setting the IP MTU down on the host, to allow for both encryption and tunnel overhead would work too. However, it would do it for all traffic, not just for traffic that will be encrypted and will transit the tunnel. I.e. the TCP adjust-mss would only target the latter traffic. Also, however, if you're sending non-TCP traffic, the TCP adjust-mss won't work for that traffic.

You can also downsize the tunnel's IP MTU to allow for both tunnel and encryption overhead, but unless DF is set (unlikely for non-TCP traffic), none TCP traffic won't "know" it's too large and it will be fragmented. So, again, for such traffic, the usual way to avoid its fragmentation is to set the MTU to the smaller size on the sending host.