12-03-2021 07:32 AM
I ended up opening a support case on this. The Palo engineer didn't see anything wrong with my configuration and didn't think the TCP MSS adjustment should be necessary.
I got on a support call with the vendor that we're connecting to. I asked what their MTU was set to.. I'm not sure that they ever found out for sure while we were on the phone but they suggested it was probably set to 1420. We have jumbo frames set up on our fireall and the loopback and tunnel on our side was just using defaults with no specific MTU set. The computer on our side would have been using 1500 per defaults but it also looks like it had Do Not Fragment set.
They seemed to think our firewall was still fragmenting and/or dropping despite the Do Not Fragment flag but Palo saw no evidence of those things occurring on the stats.
I ended up just lowering the tunnel MTU on our side down to 1400 which seems to have resolved the issue. To be fair, we've used this setting on several other site-to-sites and I'm not sure why I didn't set it here except possibly on those other tunnels we got instructions on what to set everything at as part of the vendor setup. Several of us remember them saying 1500 should be fine so who knows.
