I was trying to update some devices (SXT, RB750) with a local 1500 byte MTU but with a path to the update
server with a smaller MTU (the next hop towards the internet is a VPN router that connects to another router
that provides internet access). The router facing the internet sends the proper ICMP “destination unreachable,
fragmentation needed” messages to the upgrade.mikrotik.com server.
Yet the update does not succeed. Sometimes I see only the “new version available”, sometimes it shows the
changelog, but it never succeeds in downloading the upgrade packages.
I have seen this before. When twiddling things like “clamp TCP MSS” or the MTU of the outgoing link it can
be made to work, but it looks like there is a bad firewall inside or before those upgrade servers that drops
the ICMP that tells it to lower its segment size.
Does anyone recognize this?
Server is mostly ignoring our “ICMP fragmentation needed - max MTU 1426” and keeps sending 1500 byte segments,
sometimes a few 1426 and then returning to 1500.
Why using DF when you don’t want to obey ICMP?? Then just leave DF off and it will work without problem!
(albeit a bit less efficient because of the fragmentation)