I'd add one sentence about Fred's observation too: In addition, spoofed ICMP messages can also affect the correct operation of PMTUD. That'd do it... Joe On 2/7/2017 12:32 PM, otroan@xxxxxxxxxxxxx wrote: > Joe, > > Thanks! > >> I appreciate that you want to not point at PLPMTUD because it's not >> widely supported, but **for the same reason** this doc should not hold >> up this solution without pointing out very clearly that it basically >> isn't going to be work. > Would something like this help? > (borrowed from https://en.wikipedia.org/wiki/Path_MTU_Discovery) > > "Many network security devices block all ICMP messages for perceived > security benefits, including the errors that are necessary for the proper > operation of PMTUD. This can result in connections that complete the > TCP three-way handshake correctly, but then hang when data is transferred. > This state is referred to as a black hole connection." > > > Best regards, > Ole