Show last authors
1 {{toc/}}
2
3 # Path MTU Discovery Issues
4
5 Issues with different MTUs on a network path can be extremely hard to debug. Usually they are caused by some router in between not sending ICMP messages if a package is to big (or these messages being filtered on their way back). Typical symptoms are that you can "ping" a host and you can also establish a connection and transfer some data, but sometimes the connection stalls (e.g. a website is not loaded completely).
6
7 Luckily, if you have a Linux system somewhere in the path, there is a way to fix this problem, which I discovered in the [Linux Advanced Routing & Traffic Control HOWTO](http://lartc.org/howto/lartc.cookbook.mtu-mss.html).
8
9 You can use the following IPTables rules:
10
11 ```bash
12 iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu # IPv4
13 ip6tables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu # IPv6
14 ```
15
16 I use `-I` instead of `-A` because this rule should be the first rule in the `FORWARD` chain, so that it is applied to all packets passing through.
17
18 If you are experiencing MTU related problems, you might also be interested in some informationen regarding the MTU setting for [[6to4 tunnels|doc:Network.IP.IPv6.WebHome]] and [[OpenVPN virtual private networks|doc:Software.OpenVPN.WebHome]]. You should try the fixes described there first (if applicable), because using the clamp MSS options is more of a last resort then a best practice.
19
20 ## MTU and MSS Explained
21
22 If you wonder why TCP connections work sometimes, even if path MTU discovery is broken, you might be interested in a [very interesting article](http://blog.thousandeyes.com/troubleshooting-path-mtu-tcp-mss-problems/) in the ThousandEyes blog. Thanks to the colleague who pointed me to this article!
23
24 # Find the MTU for a Certain Path
25
26 The MTU for a certain path can be found with ping (I found these instructions at [http://www.dslreports.com/faq/695](http://www.dslreports.com/faq/695)):
27
28 Windows:
29
30 ```bat
31 ping -f -l 1472 <target>
32 ```
33
34 Linux:
35
36 ```bash
37 ping -s 1472 <target>
38 ```
39
40 macOS:
41
42 ```bash
43 ping -D -s 1472 <target>
44 ```
45
46 Add 28 to the largest number with which the ping is successful. The resulting number is the MTU.

Need help?

If you need help with XWiki you can contact: