I've recently been hit with a number of problems that seem to be related to MTU. For some reason, they seem to affect Windows 7 hosts more than Windows XP hosts. I'm trying to figure out what the best course of action is.
I've had some number of users complain about specific applications not working when they are connected to my VPN servers at one location. If they connect to the VPN servers a different location, the application works. Some of this seems random, but some test cases break every time on the same packet. The symptom is typically that a packet is dropped, indicated by the packet following it being analyzed as having a missing sequence number before it. Often, the dropped packet never arrives, causing me to think that some characteristic of the packet is unloved by some device along the path. In one case, if the client PC was running WinXP, the conversation would recover. However, if the client PC was running Win7, it would not.
I've found empirically that if I lower MTU on the Juniper virtual adapter, some of these problems cease. My working theory is that the packet is being dropped somewhere along the encrypted internet path between client PC and SA, and that the ICMP response is not making it back to the sending device for PMTU computation.
So, in the interest of keeping my sanity, I have decided to decrease the maximum length of the packets sent across the encrypted tunnel. I have a choice of doing this by decreasing the MTU on the interface(s) of the SA, or by doing MSS clamping on the routers which are the default gateways for the internal interfaces of the SAs. Of course, I could also do this by modifying the MTU on the Juniper virtual interface on the PCs, but there are so many reasons that this is a bad idea.
I have three questions -
Thanks for the help.
We found our MTU issues (same as what you are seeing) were due to the ISP connection to the Internet being tunneled from the hotspot through their or another provides network before hitting the web. This tunnel overhead reduces the MTU on the path from the Hotspot router to the internet but the client still thinks its getting a full size connection. This practice along with other ISP interference such as DNS hijacking/redirecting seem to be on the increase.
We change the MTU on the Wireless Adapter of the client as we found PMTU was unreliable as it only works if everything along the path supports it.
As for why Windows 7 is more sensitive I'm not sure but my guess would be it's probably trying to do more clever stuff with the stack to "improve" performance. You may be able to tweak some adapters parameters to improve this.