On Sat, 12 Feb 2005 09:14:51 -0500, Jason Opperisano <opie@xxxxxxxxxxx> wrote: > On Sat, 2005-02-12 at 09:08, Jason Opperisano wrote: > keep in mind that "--clamp-mss-to-pmtu" relies on the fact that PMTU > discovery works along the path of your communication--this is not always > a valid assumption these days. Hmmmkay, but then why does it also not work when I manually set the mss, even to silly low settings like 500? iptables -I FORWARD -o ppp0 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1300 Perhaps I'm looking in a totally wrong direction to find the cause? When I reduce the mtu of the masqueraded host (on the local network) to the mtu of the ppp connection, all problems disappear. (and no, that's no real solution ;) > tcpdump -n -nn -p -i $EXTIF \ > 'icmp[icmptype] = icmp-unreach and icmp[icmpcode] = 4' This does not match a single packet while testing the login. I've done a tcpdump (-s0 -w), it's available at http://et.yi.org/hotmail.dump Ethereal claims "unassembled packet" serveral times, but that may or may not have anything to do with this problem, it doesn't seem uncommon with ssl data. Friendly greetings, Joris
