So i'm sitting in the United Club in Denver. The amenities are almost too many to list on the longest fingers of one hand. And good Internet is certainly one of the amenities that is lacking. So i decided to dig into it and share with you so that next time you are in a similar circumstance you will know how to address it (hint, its not going to the people at the front desk and using words like MTU, blackhole, router, ICMP Would Fragment).
So yeah, I whip out the old wifi, connect. The WiFi interface has MTU 1500 as you would expect. But, connect our ipsec VPN, and its awful. Nothing works reliably, pages time out, wiki doesn't load. Argh. So, debugging 101.
First I run 'ping -M do -s 1470 220.127.116.11'. I get a 'would fragment', so i know that somewhere along the way is a router that won't pass 1500. OK, that's fair, TCP doe PMTU for a reason. but, when I do 'ping -M do -s 1440', i find that I get no response and no 'would fragment'. Huh. That's not allowed. So I probe out the actual MTU with varying size, and then run 'ifconfig wlp1s0 mtu 1440' and re-check. All good.
The moral of the story, there is no packet size for which you should not get either a response or a ICMP would fragment. No blackholing is allowed. TCP works badly with it, and worse, when you use a tunnel (like ipsec) it just falls apart.