Skip to content

Solution: MTU Black Hole / TLS Stalls

Summary

TLS connections stall because the path MTU through the VPN tunnel is lower than the interface MTU, and ICMP "Fragmentation Needed" messages are blocked by an intermediate firewall, preventing Path MTU Discovery from functioning.

Senior Workflow

Step 1: Confirm the symptom pattern

# Verify small pings work
ping -c 4 10.20.30.50

# Test with increasing packet sizes (DF bit set)
ping -M do -s 1400 -c 2 10.20.30.50   # likely works
ping -M do -s 1450 -c 2 10.20.30.50   # likely works
ping -M do -s 1472 -c 2 10.20.30.50   # likely fails (1472 + 28 = 1500)
ping -M do -s 1380 -c 2 10.20.30.50   # binary search to find threshold

Step 2: Capture traffic at the failure point

tcpdump -i eth0 -nn host 10.20.30.50 and port 443 -w /tmp/tls_stall.pcap

Look for: TCP SYN/SYN-ACK completing, then retransmissions of data segments at or near MSS size. No ICMP type 3 code 4 messages arriving.

Step 3: Identify the MTU constraint

ip link show tun0        # check tunnel interface MTU
ip tunnel show           # check tunnel encapsulation details

Calculate: if the tunnel uses IPsec (ESP + overhead ~50-62 bytes), effective MTU = 1500 - overhead = ~1438-1450.

Step 4: Find the ICMP block

# On intermediate firewalls/routers
iptables -L -n -v | grep -i icmp

Look for rules dropping all ICMP or specifically type 3 (destination unreachable).

Step 5: Apply the fix

Option A -- Correct fix: Allow ICMP Fragmentation Needed 

# Remove overly broad ICMP deny rule and replace with targeted rules
iptables -D FORWARD -p icmp -j DROP
iptables -A FORWARD -p icmp --icmp-type fragmentation-needed -j ACCEPT

Option B -- TCP MSS clamping (belt-and-suspenders) 

iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN \
  -j TCPMSS --set-mss 1380

Option C -- Lower the interface MTU (workaround) 

ip link set dev eth0 mtu 1400

Step 6: Verify the fix

curl -v https://api.internal.acme.com/large-endpoint
ping -M do -s 1450 -c 4 10.20.30.50

Common Pitfalls

  • Blocking all ICMP for "security": This is a widespread antipattern. ICMP type 3 code 4 is essential for PMTUD. Never blanket-block ICMP.
  • Only fixing MTU on one side: Both endpoints and the tunnel itself must be considered.
  • Forgetting MSS clamping: Even after fixing ICMP, adding MSS clamping provides defense-in-depth for future path changes.
  • Not checking tunnel overhead: Different encapsulations (GRE=24, IPsec=50-62, VXLAN=50) consume different amounts of MTU.
  • Confusing ping success with path health: Standard ping uses 64-byte packets, well below any MTU threshold.
  • Testing only with HTTP: TLS handshake certificates often push packets over the MTU limit immediately, while HTTP may work for small requests.