I am currently troubleshooting an issue where some users on Windows 7 and XP systems cannot access an SSL website on our network. The same site works fine on our servers (Server 2003, completely up-to-date, and a Ubuntu Server box) and all of our OSX machines. Our gateway is a machine running ISA 2003, which provides firewall and NAT services to the network.
So far I have narrowed it down to an MTU issue - when I force a Windows 7 box to an MTU of 1100 (for example) the site works fine, but when I change the MTU back up to 1500, the site refuses to load. When doing a "ping test" with "Don't Fragment" and a specific size specified, the MTU can be determined - but it has also changed several times over the past few hours...
At the networking level, when the site refuses to load the remote server sends a TCP reset directly after (or very close to the end of) the SSL handshake.
Is there a way to force an MTU for a specific IP address? Alternatively, is there any explanation for this behaviour (perhaps a method for verifying automatic path MTU discovery is working)?