On Sat, 30 Jan 2016 15:49:19 +0000 David Woodhouse <dwmw2 at infradead.org> wrote: > On Fri, 2016-01-29 at 17:37 +0100, Johannes Brechtmann wrote: > > Yes, but didn't noticed because of the lack of IPv6 capable servers > > inside the network I connect to. > > I guess this a problem with my IPv6 uplink. > > My first guess would be some muppet sysadmin who thinks it's clever to > firewall ICMP. > > When the SSH or web server on the VPN sends its first large packet, > it's probably going to be too large to fit into the VPN tunnel. So the > VPN server sends an ICMP 'too big' back... which is eaten by the idiot > sysadmin. So it's treated just like a lost packet and resent. And > still doesn't fit. > > Normally, the MSS given in the TCP negotiation would prevent that ? > your client will *ask* the SSH or web server not to send packets > larger than the VPN can handle. That works when the client is the one > connected to the VPN and *knows* the MTU on that route, but it falls > down usually when you're routing and the actual client thinks it has a > full MTU on that route. > > Are there any internal boxes on which you can reproduce this problem > and also run tcpdump to capture the traffic? Can you reproduce it and > capture *both* sides simultaneously, and compare? > I finally got time to habe a closer look at the issue. The problem was a 6in4 tunnel on my route to the VPN server with a MTU of 1280. Setting this tunnel to a more sensible value fixed it for me. Thank you for the help and patience.
