Hi, > What *exactly* are the "MTU problems on the link" that you have when you > don't get this right? Are they on CSTP or DTLS packets, or both? In > which direction? And what happens to the offending packets? Is the > server sending DTLS packets with the DF bit set? I saw this issue specifically with IPv6 transport, so we always have DF bit set. I did not do much further debugging. Problem is that the tunnel is configured with MTU 1406, but 1406 bytes don't really get across. At least not from server to the client, the other direction seems to work well. I guess the client stack is perfectly fine with pMTU discovery and having to fragment it. I will debug this further. > Or is your problem *internal*, and the problem is actually that the MTU > of the VPN becomes smaller with openconnect. And you have *internal* > firewalls that block ICMP and break your network? No, pMTU discovery would work fine if the tunnel was capable of the packetsize it is advertising. Best Regards, Bernhard
