One of my users is reporting issues accessing a https website. All ICMP appears to be dropped by a firewall in front of the intended secure site. My suspicion is that because ICMP is being dropped Path MTU Discovery (RFC1191) is failing and thus resulting in a “blackhole” and TCP communications timing out to the specific site. All my users are connecting via PPPoE and are using the default MTU sizes 1488 (some may be 1480).
I’ve tried configuring a temporary PPPoE Server (with different service name) with a multitude of MTU sizes 1480,1488,1492 and nothing. I’ve tried adjusting the MSS as well as disabling and still nothing. I can access the site just fine from a server that’s connected to the same switch as all my PPPoE servers (1500byte MTU).. Its just when the MTU is a “non-standard” size where the problem occurs..
Is this out of my control, do their firewalls have to allow the necessary ICMP packets for PMTUD in order to access the site? Or is there something I can do, that I haven’t tried to get these packets to go through without getting “blackholed”?
Thanks,
Bill