it's Cisco VPN client behind my ASA that needs to connect to the LAN behind Cisco 851 router with EasyVPN server on it. This 851 router is connected to the Internet with PPPoE. I manage to establish vpn client successfully with tens of other easy vpn servers (not connected with pppoe), but this one. On the other side, I can establish connection with this pppoe vpn server if the client is behind Linksys broadband router with pppoe connection... So, I believe it has to be MTU issue. Since it's about udp connection I don't see how mss would help. Inspecting traffic with wireshark I noticed the following: sending ping (with df set) packets exceeding MTU value of outside ASA interface forces ASA to send unreachables, but it sends maybe one or two unreachable packets per minute. Maybe vpn client connection time out interval is too short, so it don't see unreachables and cannot perform pmtud.