DQ
Well-Known Member
- Joined
- Feb 28, 2016
- Messages
- 2,773
- Likes
- 2,685
I am not sure if this is helpful. But in my work I deal with a lot of tunneling. So things like MSS and MTU can often be an issue and I can have hops where we have tunnels under tunnels.
I see in your tcpdump that on the syn going out to Redfox your MSS is 1460. That is standard for an ethernet 1500 mtu. Now I see in that dump and the talk here that http (port 80) is being used. So I assume there are no certificates being exchanged, but if there are those tend to be the canary in the coal mine because that certificate exchange will use full sized packets. So if there is a tunnel somewhere that drops the MTU and nothing figures that out (Windows SHOULD through MTU discovery but in Win7 that detection might be weak and I am not sure when it was added to windows) much of your packets would pass but your cert exchange would get dropped as those are typically set with the do not fragment flag so the the upstream device that gets the oversized packet just drops it. And that fools you into believing everything is OK because you can ping all day long no problem and pass other traffic but the cert exchange gets dropped and HTTPS or whatever is using TLS fails.
Just a thought.
I see in your tcpdump that on the syn going out to Redfox your MSS is 1460. That is standard for an ethernet 1500 mtu. Now I see in that dump and the talk here that http (port 80) is being used. So I assume there are no certificates being exchanged, but if there are those tend to be the canary in the coal mine because that certificate exchange will use full sized packets. So if there is a tunnel somewhere that drops the MTU and nothing figures that out (Windows SHOULD through MTU discovery but in Win7 that detection might be weak and I am not sure when it was added to windows) much of your packets would pass but your cert exchange would get dropped as those are typically set with the do not fragment flag so the the upstream device that gets the oversized packet just drops it. And that fools you into believing everything is OK because you can ping all day long no problem and pass other traffic but the cert exchange gets dropped and HTTPS or whatever is using TLS fails.
Just a thought.