Alan Munday wrote the following on 06/02/14 17:37:
Viktor Dukhovni wrote the following on 05/02/14 20:44:
On Wed, Feb 05, 2014 at 08:28:51PM +0000, Alan Munday wrote:
Viktor Dukhovni wrote the following on 05/02/14 18:45:
And of course mx3 is still broken, STARTTLS hangs, because it is
unable to transmit the server SSL HELLO + certificate, likely due
to path MTU or other network layer issues.
I am still seeing mx1 establish 100% of TLS connections and mx3 50%
(with a significant number of those being retries) so I have looked at
the comms. Both boxes are behind firewalls (same make, different models,
older OS on the mx3 firewall). They both only allow TCP/25 in, and mx3
has no restrictions on outbound traffic (mx1 is restricted to key
services). MTU on the firewall interfaces are all set to the same value
(1500) and the comms (DSL based) both go to the same ISP. So I could do
with some pointers of where to go next with this.
In the quite of the night I've been able to take some tcpdump's
On mx1 I see:
> Client Hello
> Server Hello, Certificate, Server Hello Done
and on mx3:
> Client Hello
> Server Hello
> [TCP segment of a reassembled PDU]
> Certificate
The fragmentation as Viktor predicted.
Checking out the MTU on the router and the ISP's support pages there
were two other MTU values to try, neither have resolved the issue so
I'll contact the ISP in the morning.
Thanks again.
Alan
