ocserv: website and mtu problems

Nikos Mavrogiannopoulos nmav at gnutls.org
Mon Sep 30 05:29:56 EDT 2013

On 09/30/2013 11:21 AM, Yin Guanhao wrote:
> On 2013年09月30日 16:50, Nikos Mavrogiannopoulos wrote:
>> Thanks. That could be the issue. Could you try this patch? I'm not
>> sure about the 9 bytes larger though. Could it be 8 bytes instead?
>> I cannot think what this extra byte is for.
> With this patch the MTU on the client side is 1 byte larger (1215
> v.s. 1214).
> Log of ocserv:
> ocserv[23450]: [xxx.xxx.xxx.xxx]:54873 peer CSTP MTU is 1280 
> ocserv[23450]: [xxx.xxx.xxx.xxx]:54873 TCP MSS is 1427 ocserv[23450]:
> [xxx.xxx.xxx.xxx]:54873 DTLS ciphersuite: AES128-SHA ocserv[23450]:
> [xxx.xxx.xxx.xxx]:54873 suggesting DTLS MTU 1214 ocserv[23450]:
> [xxx.xxx.xxx.xxx]:54873 suggesting CSTP MTU 1215

Ok, that makes sense. It seems that openconnect uses the last MTU
suggested and in that case it is the CSTP (TCP) MTU for the tun device.
The DTLS MTU is ignored. I'll make ocserv to return a single MTU value
for both CSTP and DTLS to avoid such issues.


More information about the openconnect-devel mailing list