Still struggling with MSS/MTU IKEv2

Posted: Wed Oct 09, 2019 2:36 am
by msatter
Spending many hours if not days on this I am seeing the ICMP type 3, code 4 packet but it is not shown in connection tracking nor is going to the local network where the client is.

I am running a and downloading is fine but uploading does not start. I am not blocking the ICMP traffic but it looks is goes back into the IKEv2 tunnel instead of going to client.

The log shows this:

Posted: Thu Oct 10, 2019 11:37 am
by msatter
I can see the ICMP packets in RAW, Mangle and Filter but not in NAT. I tried with taking away in Mangle the connection mark, needed for being directed into the IKEv2 connection, but that did not make those packets visible in NAT nor did solve the problem.

I still need in a Mangle line to set a hard fixed the MTU of 1382 (not using IPv6 anymore) because clamp to pmtu does not work.

Posted: Fri Oct 11, 2019 4:56 pm
by msatter
Hmmmm it is becoming even stranger.

I tried a different setting and only look at packets that have as TCP flag SYNC and not ACK and the upload started with a delay and was at 40% of the expected speed. This was with clamp to pmtu as action which did not work before.

To test I revered the !ack TCP flag and it still worked so I disabled the whole Change MSS line and it still worked however the speed was still low.

So I hooked up Wireshark to see what is happening. On download it finds the correct MTU of 1382 but on upload lowered the MTU to 536 what explains the low upload speed.

Now I changed back to a hard MTU of 1382 but upload is still stuck on a MTU of 536.

Going now to restart the IKEv2 connection to see if that MTU of 536 is being released. This did not work so I am going to restart the router after generating a supout.rif. A router restart did also not help and because of that low MTU of 536 I could also not post in this forum anymore and it was trowing me a connection error.

I resolved it by restoring a backup from two days ago and tested then the upload speed which was as expected. Then I restored the backup where I had the low MTU problem and I changed the MSS line to what I used before. And tested it again and the upload speed was again as expected.

Update: supout.rif file sent to Mikrotik by e-mail.

Posted: Tue Nov 12, 2019 2:20 pm
by msatter
Thank to support by Mikrotik I could narrow it down to one line/trigger.