Validation of the PAN VPN, SSID, and PEAP-TEAP Protocols

Hi Team 

I got a question :

During a previous session with end user, it was determined that, following the migration from PEAP to TEAP on the metropolitan area’s wireless network, 802.1X authentications fail to complete correctly when traversing the site-to-site VPN between a branch and the corporate headquarters.
From a technical standpoint, the following was observed:
• The authentication process starts correctly, but the session is not completed and times out in Cisco ISE.
• The access points are able to send requests to the NAC; however, a complete response is not received.
• At the corporate headquarters (without going through the VPN), behavior is normal.
Based on the above, and considering that:
• TEAP introduces greater encapsulation and larger packet sizes compared to PEAP
• The IPsec VPN adds additional overhead
The primary hypothesis is a possible fragmentation or MTU issue in the VPN tunnel, which would be preventing the EAP exchange from completing correctly.

by any chance that you have a case similar to this one in order for me to solve the issue.

this is my action plan 

Agreed-Upon Testing Plan
To validate this hypothesis, it was agreed to conduct controlled tests during a low-impact window, including the following activities:
1. Validation of the actual MTU on the path
o Connectivity tests with the DF flag to identify the maximum size without fragmentation.
2. Controlled adjustment of the MTU in the VPN tunnel
o Reduce the MTU to a reference value (e.g., 1360) for testing.
3. Conduct authentication tests
o Verify whether the TEAP process completes successfully after the adjustment.
4. Monitor and capture traffic
o Review behavior at the firewall and NAC levels to confirm whether symptoms of fragmentation or truncated sessions disappear.

Any kind of help would be highly cherished