Skip to content

Questions to Determine

  • What is the configured MTU on the client interface, server interface, and any intermediate tunnel interfaces?
  • Is Path MTU Discovery (PMTUD) functioning correctly end-to-end?
  • Are ICMP "Fragmentation Needed" (Type 3, Code 4) messages being delivered or blocked by any intermediate firewall?
  • At what packet size does connectivity fail? Does ping -s with varying sizes reveal a threshold?
  • What does a tcpdump capture show at the point of failure -- are TCP retransmits occurring at a specific segment size?
  • Is the DF (Don't Fragment) bit set on outgoing packets?
  • Are there any iptables or firewall rules on intermediate devices that drop ICMP traffic?
  • What is the tunnel encapsulation overhead (e.g., IPsec/GRE adding 50-80 bytes)?
  • Does setting a lower MTU on the client or server interface resolve the issue?
  • Is TCP MSS clamping configured on the tunnel endpoints?