We have a ipsec vpn tunnel set up between a netscreen ns5gt in our office and a netscreen 204 in our datacenter.
The vpn works fine except for when we try to access ssl-enabled applications running on servers in the datacenter, when the connections time out. The office subnet is routed via the tunnel, so no nat is involved.
I think this is mtu-related somewhere because I can open tcp sockets to the ssl application (telnetting to that port) and see ssl error messages in the applications log when I do this, but accessing it properly via a browser results in nothing in the log at all.
After doing some testing, I have found that the max icmp packet I can send over the tunnel is 1418 bytes, so somewhere something is limiting mtu to 1446 bytes (1418 icmp + 28 byte overhead).
If I route to the same IP either via the public network without the tunnel, or via our other adsl connection, I can send icmp packets of 1472 bytes, which is what I would expect when the MTUs are all 1500.
Ive tried setting flow tcp-mss to various values to reduce the packet size but this has not made any difference.
Any suggestions are most welcome!
Start Free Trial
