Robert Boyle wrote:
Either your firewall/router or the customer's firewall/router is blocking PMTUD packets..... I suspect an overzealous firewall admin is blocking all icmp.
Which you can't do anything about if the overzealous firewall admin is at the other end of the connection. My repeated, first-hand experience has been that several of the better-known web sites out there will happily send out 1500-byte packets with DF set, then ignore the DEST_UNREACH/FRAG_NEEDED icmp responses they get. If you're on the client end of this, you're sunk unless you initiate the connection specifying a lower MSS. Linux has a nifty iptables option (clamp-mss-to-pmtu) to rewrite the MSS in TCP SYN packets when forwarding a packet onto a link with a lower MTU than the MSS in the packet. Works like a charm. If every packet forwarding device on the Internet did this, PMTUD would not be needed. As is, PMTUD is simply broken, due to widespread firewall misconfiguration. As in so many other cases of Internet misbehavior, you can avoid being part of the problem, but you can't be the solution. Jim Shankland