I’ve run into an interesting problem that only seems to show up with secure web access (SSL) when using the MT Hotspot. Traffic coming from the Hotspot router destined to the secure webserver has had issues. I’m noticing an ICMP Type 3 Code 4 (Fragmentation Needed and Don’t Fragment was Set) sent from the gateway of our hotspot router to the client requesting the secure page.
Is there some way to handle this so that the packets don’t need fragmented? Is this as simple as changing the MTU settings? Or is this strictly a problem with our Internet gateway (in this case, a DSL router - but I’ve got the same issue with a Cisco on a T1). I’m assuming that the client requesting a secure page would force the no fragment bit, but not really sure how to handle preventing this condition.
Any help or information would be greatly appreciated.
Set a mangle rule that changes the MSS on TCP packets. You can try using ‘Clamp-to-pmtu’ or you can force a value.
This has been discussed on a number of previous issues on the orum.
Regards
Andrew
Thanks for the reply. I guess the confusion on my end (and the reason for posting this) is whether the client or the router is responsible for generating the packets of this certain size. So, if the router reduces the MSS, but the client still sends a packet that needs fragmenting, the problem still exists…right? The ICMP response from the upstream router is to the client, not the hotspot router. Again, this is with a client accessing a secure server through a walled garden. I’ll search around and try some of the examples.
No. The router is fixing the MSS for the connection between the client and the remote server. You can achieve the same effect by altering the MTU on every client but it’s generally less work to do it on the router.
Regards
Andrew