Hi list. I've typical site-to-site IPsec tunnel. On rare occasions users got infinite loop in their browser while opening web-sites in opposite endpoints, however in same time ping works well from one network to other. SSH connection to remote hosts looks like you're almost entered, but it freezes and can only interrupt connection.
As I understand IPSec sets Don't Fragment bit but during maintenance (or something else) of intermediate gateways on Internet providers side it could be the case when MTU on that gateways are lower than IPSec uses and such gateways don't reply with ICMP unreachable messages, so IPSec stuck at this point. Is it possible to resolve this somehow manually by changing (reducing) MTU for IPSec packets?