On Fri, 2016-01-29 at 17:37 +0100, Johannes Brechtmann wrote: > Yes, but didn't noticed because of the lack of IPv6 capable servers > inside the network I connect to. > I guess this a problem with my IPv6 uplink. My first guess would be some muppet sysadmin who thinks it's clever to firewall ICMP. When the SSH or web server on the VPN sends its first large packet, it's probably going to be too large to fit into the VPN tunnel. So the VPN server sends an ICMP 'too big' back... which is eaten by the idiot sysadmin. So it's treated just like a lost packet and resent. And still doesn't fit. Normally, the MSS given in the TCP negotiation would prevent that ? your client will *ask* the SSH or web server not to send packets larger than the VPN can handle. That works when the client is the one connected to the VPN and *knows* the MTU on that route, but it falls down usually when you're routing and the actual client thinks it has a full MTU on that route. Are there any internal boxes on which you can reproduce this problem and also run tcpdump to capture the traffic? Can you reproduce it and capture *both* sides simultaneously, and compare? -- dwmw2 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 5691 bytes Desc: not available URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20160130/025dc0a6/attachment.bin>
