I am discovering stalling TCP connection problem. The problem arises when I try to scp stuff from remote system from my home network. My home network is connected to internet via PPPoE (ADSL+) and everything works perfectly once working from my home network. The ADSL router has MTU set to 1492 but with that setting the scp from remote system does not work - stalling! When I change the MTU on my router to 1500 the that scp works perfectly but internet accesses from my home network is very slow to most of the www sites - even local ones. Just wondering where the problem exists - my ISP blocking ICMP, etc? Thanks!
2 Answers
PPPoE requires 8 bytes of encapsulation/header data, which is why you can only operate with a 1492-byte MTU on Ethernet. But normally, this sort of thing is sorted out by path MTU negotiation.
If someone's blocking ICMP, then path MTU negotiation will not work.
Your options are get rid of PPPoE or change the MTU on the remote system to deal with your semi-broken connection. And yes, I realize that both are not ideal.
- 851
- 6
- 11
-
thanks! Is there any way to check who blocks the MTU nego? traceroute? – bogumbiker Mar 26 '10 at 02:35
Some webservers, especially some of the common CDNs like Akamai, Amazon etc, seem to be blocking ICMP traffic by default (which is obviously a very bad idea).
I first suspected a misconfiguration at my provider, but I've checked it (I sent some large packets from an internet host to my DSL router, and I received "ICMP fragmentation needed" packets from the routers just before the DSL link.
Apparently, my DSL provider used to do MSS clamping at their access routers for all the customers, but it seems that they've stopped.
I've solved it by implementing MSS clamping on my DSL router so that it now rewrites outgoing SYN packets in a way that limits the downlink maximum segment size. The command to enable it is:
iptables -A FORWARD -o ppp0 -p tcp \
--tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
If your home router doesn't support iptables, you could probably modify it to work on outgoing packets on your local host by changing the FORWARD to OUTPUT, but I've never tried that.
- 563
- 1
- 6
- 18