Hello!
We have a structure of about 50 sites connected to our HQ. Every branch office has 2 tunnels: one EoIP running over ISP's MPLS and a L2TP tunnel for redundancy in case of problems with MPLS.
We have also an OSPF enviroment running in this layout with no problems. All sites have a RB 2011.
The thing is that since some days ago we began to have some problems loading HTTPS websites. This is caused by our Firewall, since we started to check the packets via flow-based and not proxy anymore.
We've done some tests and discovered that we could go around the problem adjusting our MTU. After some researching, I've seen that Mikrotik allows me to change the MTU automatically via the flag "Clamp TCp MSS" in the interface itself or via Mangle rule throug the clamp-to-pmtu action.
I would like your help to understand the concept of both of them, if I need to use both togheter or just one of them. If I understood it correctly, the TCP Clamp MSS flags the syn packet and put the MTU of the interface with the value I want. Period.
The clamp-to-pmtu relies on the mtu discovery, which is icmp based and not that reliable in days like now as it were in the past.
Any light would be appreciated.
Thanks in advance.