Den tors 14 mars 2019 kl 21:51 skrev Zhi-Qiang Lei <zhiqiang....@gmail.com>:
> Mine is resolved by applying a smaller max-mss in pf and disabling ipcomp. > Only disabling ipcomp didn’t work. > > > On Thu, Dec 20, 2018 at 6:54 PM Theodore Wynnychenko <t...@uchicago.edu> > wrote: > >> Then, I took the advice above, and disable ipcomp on the tunnel, and, > BAHM, https (and imaps) were working without an issue from openbsd, Windows > 7, and Macs! > I ran into something similar a while ago, and even if "fixing" https/imaps works with mss clamping, it will still cause issues with fragmented UDP and large icmp, since those will not care about mss, only TCP does. The problem is still there, its just a tcp-only workaround to lower mss in-flight for a problem that is mostly visible when doing *s services since they ship long lists of preferred algorithms which causes large packets to be sent, whereas simple ldap lookups or ntp/dns/http get by with less info sent and hence send smaller packets. Still, large non-tcp ip will see unexpected drops in such scenarios where you only lower mss and not the MTU on some in-between L3 interface so it correctly fragments when needed. -- May the most significant bit of your life be positive.
