tls handshake failing consistently for specific sites

Hopefully someone can give me some ideas to resolve this. I have a pretty standard natted hex using 7.11.2. Clients behind the router are getting tls handshake timeout errors consistently for some web sites. Some examples are https://www.dualshockers.com and https://mail.yahoo.com. Most sites work fine. Pings work fine for all sites.

I have tried disabling adblocker, switching dns, disabling fast track/path, clearing browser cache, different browsers, different clients. I am not seeing any firewall drops. The timeout is consistent for those sites no matter what I do. If I remove the router and attach a client directly to ISP then the problem goes away so I am somewhat confident it is the mikrotik router that is causing this.

Torching the interfaces, I can see outgoing tls handshake packets and incoming acks that look correct and are directed towards the correct client.

Any thoughts on what might be causing this or ideas on testing for cause? Thanks!

I figured this out. Wireshark was showing a lot of tcp packet retransmissions and out of order packets.

The bridge mtu was left blank and the “actual mtu” was showing 1378. There was a disabled eoip tunnel on the bridge that also had an actual mtu of 1378 which was forcing the bridge to limit mtu. I set the bridge mtu to 1500 and the issue is resolved. I still need to figure out why eoip has such a small mtu and what an appropriate setting is there.

In case someone else is getting sporadic tls issues. Check bridge MTU!