Packet loss when connecting via IPv6

[Johannes Brechtmann]

On Sat, 30 Jan 2016 15:49:19 +0000
David Woodhouse <dwmw2 at infradead.org> wrote:

> On Fri, 2016-01-29 at 17:37 +0100, Johannes Brechtmann wrote:
> > Yes, but didn't noticed because of the lack of IPv6 capable servers
> > inside the network I connect to.
> > I guess this a problem with my IPv6 uplink.  
> 
> My first guess would be some muppet sysadmin who thinks it's clever to
> firewall ICMP.
> 
> When the SSH or web server on the VPN sends its first large packet,
> it's probably going to be too large to fit into the VPN tunnel. So the
> VPN server sends an ICMP 'too big' back... which is eaten by the idiot
> sysadmin. So it's treated just like a lost packet and resent. And
> still doesn't fit.
> 
> Normally, the MSS given in the TCP negotiation would prevent that —
> your client will *ask* the SSH or web server not to send packets
> larger than the VPN can handle. That works when the client is the one
> connected to the VPN and *knows* the MTU on that route, but it falls
> down usually when you're routing and the actual client thinks it has a
> full MTU on that route.
> 
> Are there any internal boxes on which you can reproduce this problem
> and also run tcpdump to capture the traffic? Can you reproduce it and
> capture *both* sides simultaneously, and compare?
> 

I finally got time to habe a closer look at the issue.
The problem was a 6in4 tunnel on my route to the VPN server with a MTU
of 1280. Setting this tunnel to a more sensible value fixed it for me.

Thank you for the help and patience.