Community discussions

 
NetWorker
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 61
Joined: Sun Jan 31, 2010 6:55 pm

DSL TLS MTU problem

Fri May 10, 2019 5:22 pm

Hey everyone!

We've recently been having increasing issues with some webpages not being displayed correctly or not loading at all. Long story short, I've tracked it down to being pages that have upgraded to newer versions of TLS. Haven't checked if 1.3 only or also 1.2. And only when going over our DSL line. When they go through the fiber line all is well, hence the problem has been intermitent but getting more serious with increasing number of sites being updated.

So I switched the modem from bridge to router mode and everything worked just fine. Switched back to using the Mikrotik PPPoE Client and again same pages hang at the TLS handshake stage.

Some research into the matter suggested newer TLS versions dislike fragmented handshake packets and that adjusting MTU is the solution.

When I first set the DSL line up a couple of years ago I remember doing some tests wich led me to set the MTU to 1492 (theoretical max for DSL) back then. Yesterday I tried some pings with the DNF flag set and progressively lowered the MTU. I went as far down as 1300 and the best I achieved was 1452 bytes on a 1480 MTU. However this has NOT solved the TLS issue.

Things I've also tried were MRU larger and smaller than MTU by a dozen or so bytes and MRRU other than default in the 1500 to 1700 range. I've not been able to change MSS and I couldn't find the MSS mangle rules that were talked about somewhere (can't find it again).

Any pointers greatly appreciated!
 
NetWorker
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 61
Joined: Sun Jan 31, 2010 6:55 pm

Re: DSL TLS MTU problem  [SOLVED]

Fri May 10, 2019 6:25 pm

Found it! MSS can be changed in the profile. Turns out the option "Change TCP MSS" was set to no. When set to yes TLS started working again. Also, even with MTU at 1492 it works a lot better than before. I'm guessing that's because browsers were doing a lot of path discoveries which oddly enough worked for everything but newer version TLS handshakes.

Who is online

Users browsing this forum: No registered users and 9 guests