Small requests work, big ones hang: the IPsec MTU trap
The tunnel is up, routing is correct, and yet users complain that some HTTPS sites load part-way and freeze — while ping, DNS and small requests all work. This exact pattern, small works and big hangs, is the signature of an MTU problem, not a firewall or DNS one.
Why only big packets fail
IPsec wraps each packet in extra headers, so the usable MTU inside the tunnel is smaller than the physical interface. A full-size TCP segment (1500 bytes) with the Don’t-Fragment bit set no longer fits. Normally Path MTU Discovery would tell the sender to shrink — but PMTUD relies on ICMP that firewalls frequently drop. With PMTUD blocked, the oversized packets are silently discarded. Small packets slip through, so the tunnel looks healthy until someone transfers real data.
The fix: clamp the MSS
Instead of relying on PMTUD, cap the TCP Maximum Segment Size so segments fit the tunnel from the first handshake. The router rewrites the MSS in the TCP SYN as it passes.
interface Tunnel0 ip tcp adjust-mss 1350 ! Cisco: clamp MSS on the tunnel ! FortiGate (per policy): set tcp-mss-sender 1350 set tcp-mss-receiver 1350
A safe starting point is effective MTU minus 40 (20 bytes IP + 20 bytes TCP). The exact number depends on your encapsulation and cipher, so calculate it rather than guess.