Hi @Antonio_Rodrigu 

read this SK:

MTU and Fragmentation Issues in IPsec VPN 

I really apreciate your help, the SK you refer describes exactly the behavior, I dont know if the sim_ipsec vars apply though the behavior is after encapsulation by other equipments, and supose the traffic enter to the checkpoint clear.

MSS clamping is a mechanism that is a cure to the issue, pMTUd is just a medicine.
The 2 mechanisms differ by solving the problem upfront (MSS clamping) or hoping to solve the issue afterwards when it occurs.

MSS clamping works by changing the actual payload of a packet from 1460 (default value) to a value that you set, it does this by changing the MSS value in the SYN and SYN-ACK packets of each session started fitting the clamping criteria (Interface/VPN).

With path MTU discovery a ICMP packet is returned when a packet hits the device that has to do fragmentation, problem here is that there are 2 things that are missing in most environments:
a rule that will allow that ICMP packet code 4 type 3 to pass
Load balancers are still unable to deliver those packets to the correct server.

MSS Clamping on Cisco routers is done by using IP tcp adjust-mss 1400 (example number) on the correct interface.
To find the right value use the small frre tool called tcpoptimizer and look for largest possible MTU which requires you to give it the correct IP of the server you try to reach.
The outcome needs to be taken down by 40 (20 IP header, 20 TCP header), so when it shows a MTU of 1436 you need to set the MSS value to 1396.
see https://www.cisco.com/c/en/us/support/docs/ip/generic-routing-encapsulation-gre/25885-pmtud-ipfrag.h...