Troubleshooting · 4 min read

Small requests work, big ones hang: the IPsec MTU trap

The tunnel is up, routing is correct, and yet users complain that some HTTPS sites load part-way and freeze — while ping, DNS and small requests all work. This exact pattern, small works and big hangs, is the signature of an MTU problem, not a firewall or DNS one.

Why only big packets fail

IPsec wraps each packet in extra headers, so the usable MTU inside the tunnel is smaller than the physical interface. A full-size TCP segment (1500 bytes) with the Don’t-Fragment bit set no longer fits. Normally Path MTU Discovery would tell the sender to shrink — but PMTUD relies on ICMP that firewalls frequently drop. With PMTUD blocked, the oversized packets are silently discarded. Small packets slip through, so the tunnel looks healthy until someone transfers real data.

The fix: clamp the MSS

Instead of relying on PMTUD, cap the TCP Maximum Segment Size so segments fit the tunnel from the first handshake. The router rewrites the MSS in the TCP SYN as it passes.

interface Tunnel0
 ip tcp adjust-mss 1350        ! Cisco: clamp MSS on the tunnel

! FortiGate (per policy):
 set tcp-mss-sender 1350
 set tcp-mss-receiver 1350

A safe starting point is effective MTU minus 40 (20 bytes IP + 20 bytes TCP). The exact number depends on your encapsulation and cipher, so calculate it rather than guess.

MTU & MSS calculator
Enter your tunnel type, get the exact MSS to clamp.
Open →
Practise this on today’s Daily Ops Drill — a free network task every day.
Open the app →
Free tools for this
More from the blog
MTU, MSS, and why your VPN tunnels drop large packetsRead →169.254.x.x address on your interface: what APIPA really meansRead →