Internet Protocol (IP)

# Path MTU Discovery Issues

Issues with different MTUs on a network path can be extremely hard to debug. Usually they are caused by some router in between not sending ICMP messages if a package is to big (or these messages being filtered on their way back). Typical symptoms are that you can "ping" a host and you can also establish a connection and transfer some data, but sometimes the connection stalls (e.g. a website is not loaded completely).

6

7

Luckily, if you have a Linux system somewhere in the path, there is a way to fix this problem, which I discovered in the [Linux Advanced Routing & Traffic Control HOWTO](http://lartc.org/howto/lartc.cookbook.mtu-mss.html).

8

9

You can use the following IPTables rules:

10

11

```bash

12

iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu # IPv4

13

ip6tables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu # IPv6

14

```

15

16

I use `-I` instead of `-A` because this rule should be the first rule in the `FORWARD` chain, so that it is applied to all packets passing through.

17

18

If you are experiencing MTU related problems, you might also be interested in some informationen regarding the MTU setting for [6to4 tunnels](https://sebastian.marsching.com/wiki/Network/IPv6) and [OpenVPN virtual private networks](https://sebastian.marsching.com/wiki/Network/OpenVPN). You should try the fixes described there first (if applicable), because using the clamp MSS options is more of a last resort then a best practice.

19

20

## MTU and MSS Explained

21

22

If you wonder why TCP connections work sometimes, even if path MTU discovery is broken, you might be interested in a [very interesting article](http://blog.thousandeyes.com/troubleshooting-path-mtu-tcp-mss-problems/) in the [ThousandEyes](https://sebastian.marsching.com/wiki/ThousandEyes) blog. Thanks to the colleague who pointed me to this article!

23

24

# Find the MTU for a Certain Path

25

26

The MTU for a certain path can be found with ping (I found these instructions at [http://www.dslreports.com/faq/695](http://www.dslreports.com/faq/695)):

Windows:

```bat

ping -f -l 1472 <target>

```

Linux:

```bash

ping -s 1472 <target>

```

macOS:

```bash

ping -D -s 1472 <target>

44

```

45

46

Add 28 to the largest number with which the ping is successful. The resulting number is the MTU.

Wiki source code of Internet Protocol (IP)

Applications

Navigation

Tips

Need help?

version	line-number	content
1.1	1	{{toc/}}
	2
	3	# Path MTU Discovery Issues
	4
	5	Issues with different MTUs on a network path can be extremely hard to debug. Usually they are caused by some router in between not sending ICMP messages if a package is to big (or these messages being filtered on their way back). Typical symptoms are that you can "ping" a host and you can also establish a connection and transfer some data, but sometimes the connection stalls (e.g. a website is not loaded completely).
	6
	7	Luckily, if you have a Linux system somewhere in the path, there is a way to fix this problem, which I discovered in the [Linux Advanced Routing & Traffic Control HOWTO](http://lartc.org/howto/lartc.cookbook.mtu-mss.html).
	8
	9	You can use the following IPTables rules:
	10
	11	```bash
	12	iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu # IPv4
	13	ip6tables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu # IPv6
	14	```
	15
	16	I use `-I` instead of `-A` because this rule should be the first rule in the `FORWARD` chain, so that it is applied to all packets passing through.
	17
	18	If you are experiencing MTU related problems, you might also be interested in some informationen regarding the MTU setting for [6to4 tunnels](https://sebastian.marsching.com/wiki/Network/IPv6) and [OpenVPN virtual private networks](https://sebastian.marsching.com/wiki/Network/OpenVPN). You should try the fixes described there first (if applicable), because using the clamp MSS options is more of a last resort then a best practice.
	19
	20	## MTU and MSS Explained
	21
	22	If you wonder why TCP connections work sometimes, even if path MTU discovery is broken, you might be interested in a [very interesting article](http://blog.thousandeyes.com/troubleshooting-path-mtu-tcp-mss-problems/) in the [ThousandEyes](https://sebastian.marsching.com/wiki/ThousandEyes) blog. Thanks to the colleague who pointed me to this article!
	23
	24	# Find the MTU for a Certain Path
	25
	26	The MTU for a certain path can be found with ping (I found these instructions at [http://www.dslreports.com/faq/695](http://www.dslreports.com/faq/695)):
	27
	28	Windows:
	29
	30	```bat
	31	ping -f -l 1472 <target>
	32	```
	33
	34	Linux:
	35
	36	```bash
	37	ping -s 1472 <target>
	38	```
	39
	40	macOS:
	41
	42	```bash
	43	ping -D -s 1472 <target>
	44	```
	45
	46	Add 28 to the largest number with which the ping is successful. The resulting number is the MTU.