Denying ICMP type 3 code 4 traffic - good or bad?

Try setting crypto ipsec df-bit clear-df outside. This won't fix the direct issue here, but may work around it.

As far as the immediate issue - it seems like the ASA isn't realizing that the ICMP packet needs to be used as Path MTU discovery for its tunnel. Check if there's anything in the PMTUD counters displayed by show crypto ipsec sa?


ICMP type 3 code 4 messages are "fragmentation needed but don't fragment set". This means your device sent a packet larger than the MTU of the device sending the ICMP message to you. Normally, the packet could be fragmented, but the DF bit was set. Since you're denying the inbound ICMP message, the ASA doesn't get notified that its packet wasn't delivered. Dropping these ICMP messages is generally bad for performance because it essentially results in packet loss.

Cisco's ASA configuration guide recommends always permitting ICMP type 3 messages, and it specifically mentions that problems can arise with IPsec if these messages are blocked. You can configure the ASA reporting this error to allow them with the following command:

icmp permit any unreachable outside

This only affects ICMP unreachables destined for the ASA itself. If you also need to permit them through the ASA to internal hosts, you'll need to do so with an access-list on your outside interface.