Broken PMTUD / ICMP blackhole?
Hi,
I have a Debian Sid system with generally working networking. Recently,
I experienced some strange connectivity problems with a particular
network connection (tethering via wifi to a cell phone running
LineageOS, using Mint Mobile, a T-Mobile MVNO), notably TLS handshakes
hanging and failing to complete. Following some clues I found on the
internet [1], I suspected, and believe I've found evidence of, a
PMTUD / ICMP blackhole problem. Testing with 'ping -M do 1.1.1.1 -s
nnnn', I find that for nnnn <= 1412, I get normal ping replies, but for
nnnn > 1412, I get no replies, until I get closer to 1500 (generally
with nnnn > 1472), at which point I get something like:
PING 1.1.1.1 (1.1.1.1) 1492(1520) bytes of data.
ping: local error: message too long, mtu=1500
With nnnn = 1472, I get, at least sometimes:
>From 192.168.43.245 icmp_seq=2 Frag needed and DF set (mtu = 1472)
followed by (for various values of nnnn):
ping: local error: message too long, mtu=1472
until I drop below 1444, at which point I once again get no reply,
until nnnn <= 1412, at which point I once again get normal ping replies.
For comparison purposes, on a normal, properly behaving network
connection, I get normal ping replies for nnnn <= 1472, and "message
too long" for nnnn > 1472.
Am I understanding this correctly, that there's some kind of PMTUD /
ICMP blackhole problem here? If so, what can I do about it? My
understanding is that I can either set the MTU lower on the client, or
do MSS clamping. Any suggestions? Is this something Mint / T-Mobile, or
someone upstream, is just messing up?
[1] E.g., https://www.reddit.com/r/WireGuard/comments/cy13jt/tls_handshake_errors_behind_wireguard_vpn/
Celejar
Reply to: