Grading Checklist

A good response must include:

• Identifies the root cause as an MTU black hole -- packets exceeding the path MTU are silently dropped
• Explains that PMTUD relies on ICMP "Fragmentation Needed" messages and these are being blocked
• Uses ping -s or ping -M do -s <size> to empirically determine the maximum working packet size
• Examines tcpdump output and correctly identifies TCP retransmissions occurring at the segment size that exceeds the tunnel MTU
• Checks iptables rules on intermediate firewalls for ICMP blocking rules
• Calculates the effective MTU considering tunnel overhead (e.g., 1500 - 50 for IPsec = 1450)
• Proposes fixing the ICMP blocking as the proper long-term solution
• Proposes TCP MSS clamping (iptables -t mangle ... --set-mss) as an alternative or complementary fix
• Mentions lowering the interface MTU as a workaround
• Explains why small requests work (below MTU threshold) while large requests fail
• Explains why TLS is particularly affected (certificate exchange involves large packets early in the connection)
• Does NOT suggest disabling the firewall entirely as a solution