VPN fragmented IP packets being dropped by the Big-IP, because of 'tm.minipfragsize > default=552' (K52103592) TCPDump showed the ip packets arriving on the client-side and never being forwarded on ...
One advantage of BIG-IP's full-proxy architecture is that you can have it adjust the TCP MSS on the server-side of the flow so that a connection initiated from outside can have a different effective packet size. You can do this inside the TCP profile using "Proxy Maximum Segment" and "Max Segment Size". If you want to try it, make a new TCP profile with those options and apply it to a new more specific L4 virtual server to catch and forward the VPN traffic.
This would work when the SERVER is sending a lot of data to the client, but not if the CLIENT is sending a lot of data to the server, because the MSS info comes from the client's side of the connection (in our full-proxy case there are 2 "client sides", one is big-ip and one is the client).
Of course this isn't helpful for UDP or other traffic, but for TCP it should prevent these little fragments from the server.
Thanks for the suggestion. In my case it's UDP/1812 being affected when the end-users sends TLS EAP response containing its Certificate, key exchange etc.. TCP-MSS wont help in that case.