If a packet larger than the configured MTU is received, and the DF (Don't Fragment) IP option is set, the Palo Alto Networks firewall returns an ICMP "frag-needed" message, notifying the sender that a smaller MTU is needed.
The sender's TCP/IP stack should be capable of responding with smaller packets. However, certain devices block these ICMP messages which will cause the sender to resend the oversized packet.
To avoid this situation in an IPSec VPN tunnel, the MTU/MSS (Maximum Segment Size) should be changed on the network devices that terminate the tunnel. When a packet passes through an IPSec tunnel that terminates on a Palo Alto Networks device, the device automatically changes the MSS value for the TCP handshake to alleviate such a situation.
> show routing fib
:flow_fwd_mtu_exceeded forward Packets lengths exceeded MTU
:flow_fwd_ip_df forward Packets dropped: exceeded MTU but DF bit present