Packet loss when connecting via IPv6

David Woodhouse dwmw2 at
Sat Jan 30 07:49:19 PST 2016

On Fri, 2016-01-29 at 17:37 +0100, Johannes Brechtmann wrote:
> Yes, but didn't noticed because of the lack of IPv6 capable servers
> inside the network I connect to.
> I guess this a problem with my IPv6 uplink.

My first guess would be some muppet sysadmin who thinks it's clever to
firewall ICMP.

When the SSH or web server on the VPN sends its first large packet,
it's probably going to be too large to fit into the VPN tunnel. So the
VPN server sends an ICMP 'too big' back... which is eaten by the idiot
sysadmin. So it's treated just like a lost packet and resent. And still
doesn't fit.

Normally, the MSS given in the TCP negotiation would prevent that —
your client will *ask* the SSH or web server not to send packets larger
than the VPN can handle. That works when the client is the one
connected to the VPN and *knows* the MTU on that route, but it falls
down usually when you're routing and the actual client thinks it has a
full MTU on that route.

Are there any internal boxes on which you can reproduce this problem
and also run tcpdump to capture the traffic? Can you reproduce it and
capture *both* sides simultaneously, and compare?


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5691 bytes
Desc: not available
URL: <>

More information about the openconnect-devel mailing list