I have issues with duplicate acks through the IPSEC tunnels of a customer of mine. When trying to figure out what's going on, I see that packets that are too big (DF set) are being silently dropped, whereas the sender should receive an ICMP message. In the attached pcap (renamed to be able to upload), I send 5 icmp packets with payload 1418B, and then 5 packets with payload 1419B. The latter should not work, but the sender does not get any warning of this.
Is it like this for any good reason, or is it just a bad implementation?
An update - I have similar setup on 5.2.7 on FG1000D and FG1200D - and this works fine: when I ping with too large packets (df-bit no), they get fragmented and assembled on the other side, as they should. On the FG300D running 5.2.3 the packet just disappears - with no message to the sender.