Hi All What helped me with MTU issuer in general is setting TCPMSS on all traffic... This can be done under linux as follows:
ip6tables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1360 ip6tables-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu ip6tables-A OUTPUT -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu Just my two cents Matthias On 21/10/2019 11:21, Müller Urs (IT-OM-SDP-SDN) wrote: > Hello everybody > > We are still having issues with the MTU detection. > At the moment, we are translating on our Internet-Router and internal > Loadbalancers are unaware or unable to talk back to the webserver, if the MTU > is smaller than usual. > This happens usually with Tunnelbrokers or some (self built) > Firewall/Routers. > > Hope, we will bring IPv6 deeper into our network until Q2/2020 and fix that > nasty issue with that. > > If Nico could try to look into his MTU and perhaps share it's hardware specs? > > I am connecting with EdgeRouter Pro and through INIT7/Fiber7. > > :~$ curl -6 -l -v https://sbb.ch > * Rebuilt URL to: https://sbb.ch/ > * Trying 2a00:4bc0:ffff:ffff::c296:f58e... > * TCP_NODELAY set > * Connected to sbb.ch (2a00:4bc0:ffff:ffff::c296:f58e) port 443 (#0) > * ALPN, offering h2 > * ALPN, offering http/1.1 > * successfully set certificate verify locations: > * CAfile: /etc/ssl/certs/ca-certificates.crt > CApath: /etc/ssl/certs > * SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 > * ALPN, server accepted to use http/1.1 > * Server certificate: > * subject: jurisdictionC=CH; jurisdictionST=Bern; > serialNumber=CHE-102.909.703; businessCategory=Private Organization; C=CH; > ST=Bern; L=Bern; O=Schweizerische Bundesbahnen SBB; OU=IT; CN=www.sbb.ch > * start date: Jul 25 14:52:45 2019 GMT > * expire date: Jul 25 14:52:45 2021 GMT > * subjectAltName: host "sbb.ch" matched cert's "sbb.ch" > * issuer: C=CH; O=SwissSign AG; CN=SwissSign EV Gold CA 2014 - G22 > * SSL certificate verify ok. > > Regards, Urs > > Urs Müller > Schweizerische Bundesbahnen SBB > Senior Architekt > IT Operations Management - Service Design > Lindenhofstrasse 1 - Worblaufen, 3000 Bern 65 > [email protected] / www.sbb.ch > > > > > -----Ursprüngliche Nachricht----- > Von: [email protected] <[email protected]> Im > Auftrag von Silvan M. Gebhardt > Gesendet: Montag, 21. Oktober 2019 09:59 > An: Benoit Panizzon <[email protected]> > Cc: swinog <[email protected]> > Betreff: Re: [swinog] SBB partially reachable via IPv6 > > SBB is a test case for proper MTU. Check your MTU ;) > > > ----- Ursprüngliche Mail ----- > Von: "Benoit Panizzon" <[email protected]> > An: "swinog" <[email protected]> > Gesendet: Montag, 21. Oktober 2019 07:40:15 > Betreff: Re: [swinog] SBB partially reachable via IPv6 > > Works for me: > $ telnet sbb.ch https > Trying 2a00:4bc0:ffff:ffff::c296:f58e... > Connected to sbb.ch. > > $ openssl s_client -connect sbb.ch:https > CONNECTED(00000003) > depth=2 C = CH, O = SwissSign AG, CN = SwissSign Gold CA - G2 verify return:1 > depth=1 C = CH, O = SwissSign AG, CN = SwissSign EV Gold CA 2014 - G22 verify > return:1 > depth=0 jurisdictionC = CH, jurisdictionST = Bern, serialNumber = > CHE-102.909.703, businessCategory = Private Organization, C = CH, ST = Bern, > L = Bern, O = Schweizerische Bundesbahnen SBB, OU = IT, CN = www.sbb.ch > verify return:1 > --- > Certificate chain > 0 s:jurisdictionC = CH, jurisdictionST = Bern, serialNumber = > CHE-102.909.703, businessCategory = Private Organization, C = CH, ST = Bern, > L = Bern, O = Schweizerische Bundesbahnen SBB, OU = IT, CN = www.sbb.ch > i:C = CH, O = SwissSign AG, CN = SwissSign EV Gold CA 2014 - G22 > 1 s:C = CH, O = SwissSign AG, CN = SwissSign EV Gold CA 2014 - G22 > i:C = CH, O = SwissSign AG, CN = SwissSign Gold CA - G2 > > Mit freundlichen Grüssen > > -Benoît Panizzon- > -- Matthias Cramer / mc322-ripe Senior Network & Security Engineer iway AG Phone +41 43 500 1111 Badenerstrasse 569 Fax +41 44 271 3535 CH-8048 Zürich http://www.iway.ch/ GnuPG 1024D/2D208250 = DBC6 65B6 7083 1029 781E 3959 B62F DF1C 2D20 8250 _______________________________________________ swinog mailing list [email protected] http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
