Hi All
What helped me with MTU issuer in general is setting TCPMSS on all traffic... This can be done under linux as follows:
ip6tables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1360 ip6tables-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu ip6tables-A OUTPUT -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
Just my two cents
Matthias
On 21/10/2019 11:21, Müller Urs (IT-OM-SDP-SDN) wrote:
Hello everybody
We are still having issues with the MTU detection. At the moment, we are translating on our Internet-Router and internal Loadbalancers are unaware or unable to talk back to the webserver, if the MTU is smaller than usual. This happens usually with Tunnelbrokers or some (self built) Firewall/Routers.
Hope, we will bring IPv6 deeper into our network until Q2/2020 and fix that nasty issue with that.
If Nico could try to look into his MTU and perhaps share it's hardware specs?
I am connecting with EdgeRouter Pro and through INIT7/Fiber7.
:~$ curl -6 -l -v https://sbb.ch
- Rebuilt URL to: https://sbb.ch/
- Trying 2a00:4bc0:ffff:ffff::c296:f58e...
- TCP_NODELAY set
- Connected to sbb.ch (2a00:4bc0:ffff:ffff::c296:f58e) port 443 (#0)
- ALPN, offering h2
- ALPN, offering http/1.1
- successfully set certificate verify locations:
- CAfile: /etc/ssl/certs/ca-certificates.crt CApath: /etc/ssl/certs
- SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
- ALPN, server accepted to use http/1.1
- Server certificate:
- subject: jurisdictionC=CH; jurisdictionST=Bern; serialNumber=CHE-102.909.703; businessCategory=Private Organization; C=CH; ST=Bern; L=Bern; O=Schweizerische Bundesbahnen SBB; OU=IT; CN=www.sbb.ch
- start date: Jul 25 14:52:45 2019 GMT
- expire date: Jul 25 14:52:45 2021 GMT
- subjectAltName: host "sbb.ch" matched cert's "sbb.ch"
- issuer: C=CH; O=SwissSign AG; CN=SwissSign EV Gold CA 2014 - G22
- SSL certificate verify ok.
Regards, Urs
Urs Müller Schweizerische Bundesbahnen SBB Senior Architekt IT Operations Management - Service Design Lindenhofstrasse 1 - Worblaufen, 3000 Bern 65 urs.bf.mueller@sbb.ch / www.sbb.ch
-----Ursprüngliche Nachricht----- Von: swinog-bounces@lists.swinog.ch swinog-bounces@lists.swinog.ch Im Auftrag von Silvan M. Gebhardt Gesendet: Montag, 21. Oktober 2019 09:59 An: Benoit Panizzon benoit.panizzon@imp.ch Cc: swinog swinog@lists.swinog.ch Betreff: Re: [swinog] SBB partially reachable via IPv6
SBB is a test case for proper MTU. Check your MTU ;)
----- Ursprüngliche Mail ----- Von: "Benoit Panizzon" benoit.panizzon@imp.ch An: "swinog" swinog@lists.swinog.ch Gesendet: Montag, 21. Oktober 2019 07:40:15 Betreff: Re: [swinog] SBB partially reachable via IPv6
Works for me: $ telnet sbb.ch https Trying 2a00:4bc0:ffff:ffff::c296:f58e... Connected to sbb.ch.
$ openssl s_client -connect sbb.ch:https CONNECTED(00000003) depth=2 C = CH, O = SwissSign AG, CN = SwissSign Gold CA - G2 verify return:1 depth=1 C = CH, O = SwissSign AG, CN = SwissSign EV Gold CA 2014 - G22 verify return:1 depth=0 jurisdictionC = CH, jurisdictionST = Bern, serialNumber = CHE-102.909.703, businessCategory = Private Organization, C = CH, ST = Bern, L = Bern, O = Schweizerische Bundesbahnen SBB, OU = IT, CN = www.sbb.ch verify return:1
Certificate chain 0 s:jurisdictionC = CH, jurisdictionST = Bern, serialNumber = CHE-102.909.703, businessCategory = Private Organization, C = CH, ST = Bern, L = Bern, O = Schweizerische Bundesbahnen SBB, OU = IT, CN = www.sbb.ch i:C = CH, O = SwissSign AG, CN = SwissSign EV Gold CA 2014 - G22 1 s:C = CH, O = SwissSign AG, CN = SwissSign EV Gold CA 2014 - G22 i:C = CH, O = SwissSign AG, CN = SwissSign Gold CA - G2
Mit freundlichen Grüssen
-Benoît Panizzon-