MTU mismatch with 7.08 and "Unknown DTLS packet"

Thu Jan 4 13:41:29 PST 2018

The 1300 byte packets come from the remote side. They are split by the
gateway into a 1290 byte chunk and a 10 byte chunk and are sent in 2
DTLS records.

openconnect --mtu has no effect. openconnect still reduces the mtu to
1290 because gnutls will not let it encode a record larger than 1290
bytes when doing the first DPD, as shown in the log
The code surrounding "Failed to write to SSL socket: " is:

static int _openconnect_gnutls_write(gnutls_session_t ses, int fd,
struct openconnect_info *vpninfo, char *buf, size_t len)
{
        size_t orig_len = len;

        while (len) {
                int done = gnutls_record_send(ses, buf, len);
                if (done > 0)
                        len -= done;
                else if (done == GNUTLS_E_AGAIN || done ==
GNUTLS_E_INTERRUPTED) {
...
              } else {
                        vpn_progress(vpninfo, PRG_ERR, _("Failed to
write to SSL socket: %s\n"),
                                     gnutls_strerror(done));

https://www.gnutls.org/manual/html_node/Data-transfer-and-termination.html
says that gnutls_record_send will return EMSGSIZE "if the send data
exceed the data MTU value - as returned by gnutls_dtls_get_data_mtu()"