Community discussions

MikroTik App
 
NetWorker
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 98
Joined: Sun Jan 31, 2010 6:55 pm

DSL TLS MTU problem

Fri May 10, 2019 5:22 pm

Hey everyone!

We've recently been having increasing issues with some webpages not being displayed correctly or not loading at all. Long story short, I've tracked it down to being pages that have upgraded to newer versions of TLS. Haven't checked if 1.3 only or also 1.2. And only when going over our DSL line. When they go through the fiber line all is well, hence the problem has been intermitent but getting more serious with increasing number of sites being updated.

So I switched the modem from bridge to router mode and everything worked just fine. Switched back to using the Mikrotik PPPoE Client and again same pages hang at the TLS handshake stage.

Some research into the matter suggested newer TLS versions dislike fragmented handshake packets and that adjusting MTU is the solution.

When I first set the DSL line up a couple of years ago I remember doing some tests wich led me to set the MTU to 1492 (theoretical max for DSL) back then. Yesterday I tried some pings with the DNF flag set and progressively lowered the MTU. I went as far down as 1300 and the best I achieved was 1452 bytes on a 1480 MTU. However this has NOT solved the TLS issue.

Things I've also tried were MRU larger and smaller than MTU by a dozen or so bytes and MRRU other than default in the 1500 to 1700 range. I've not been able to change MSS and I couldn't find the MSS mangle rules that were talked about somewhere (can't find it again).

Any pointers greatly appreciated!
 
NetWorker
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 98
Joined: Sun Jan 31, 2010 6:55 pm

Re: DSL TLS MTU problem  [SOLVED]

Fri May 10, 2019 6:25 pm

Found it! MSS can be changed in the profile. Turns out the option "Change TCP MSS" was set to no. When set to yes TLS started working again. Also, even with MTU at 1492 it works a lot better than before. I'm guessing that's because browsers were doing a lot of path discoveries which oddly enough worked for everything but newer version TLS handshakes.
 
kugla007
just joined
Posts: 8
Joined: Thu Mar 29, 2018 12:43 pm

Re: DSL TLS MTU problem

Tue Jul 28, 2020 10:24 am

Hi,

I have an identical issue but I have "Yes" in Adjust TCP MSS on the profile and that doesn't seem to resolve the issue.

I tried adjusting the MSS using a mangle rule but that doesn't help either.
/ip firewall mangle
add action=change-mss chain=forward log=yes log-prefix=MSS new-mss=1420 out-interface="PPPoE-out" passthrough=yes protocol=tcp src-address=192.168.10.0/24 tcp-flags=syn
Any advice on what I can try next?

Who is online

Users browsing this forum: ekinsl, ips, mkx and 75 guests