Troubleshooting · 4 min read

MTU, MSS, and why your VPN tunnels drop large packets

VPN tunnels have a hidden cost: encryption and encapsulation add overhead to every packet, shrinking the effective payload space. When a host sends a 1500-byte packet destined for a remote network over IPSec or SSL VPN, the tunnel endpoint wraps it in additional headers, creating a frame larger than the physical link's MTU. The result is silent packet loss, retransmission delays, and frustrated users reporting that 'the VPN is slow.' Understanding MTU, MSS, and how they interact across encrypted tunnels is essential for reliable network design.

What MTU and MSS actually do

Maximum Transmission Unit (MTU) is the largest IP packet a link can carry without fragmentation. On Ethernet, that is typically 1500 bytes. Maximum Segment Size (MSS) is the largest TCP payload the sender will place in a single segment, calculated as MTU minus IP header (20 bytes) minus TCP header (20 bytes), yielding 1460 bytes on standard Ethernet.

The relationship is simple: MSS constrains TCP data to fit inside an MTU-sized IP packet. Hosts negotiate MSS during the TCP three-way handshake using the MSS option. If both endpoints agree on MSS, TCP avoids sending packets that require IP-layer fragmentation.

Why VPN tunnels break this model

A VPN tunnel is an encapsulation layer. An IPSec tunnel adds at minimum 50-70 bytes of headers (ESP, ICV, outer IP). An SSL VPN adds record framing and encryption overhead. A GRE tunnel over IPSec can add 100+ bytes. When a 1500-byte packet enters the tunnel, the encapsulated result exceeds 1500 bytes and cannot be transmitted on a standard Ethernet link without fragmentation.

If the tunnel endpoint cannot fragment (or chooses not to), the packet is dropped. If fragmentation occurs inside the tunnel, reassembly overhead and retransmission on loss degrade throughput. The core problem: the host originating the traffic has no idea the tunnel exists and sends packets sized for a 1500-byte Ethernet link, not a 1430-byte effective tunnel payload.

Path MTU Discovery and the black hole problem

Path MTU Discovery (PMTUD) is the standard solution. A host sends packets with the Don't Fragment (DF) bit set. If a router cannot forward the packet without fragmenting, it sends an ICMP Fragmentation Needed message back to the source, reporting the link's MTU. The source then reduces its send size and retries.

VPN tunnels often break PMTUD. Firewalls may block ICMP messages for security reasons, or tunnel endpoints may not properly generate or relay them. Result: the host never learns the effective MTU is lower, keeps sending 1500-byte packets, and they silently drop inside the tunnel. This is the PMTUD black hole. Symptoms include sporadic connection failures, especially with large file transfers or video, while small requests work fine.

Practical solutions: MSS clamping and manual tuning

The most reliable fix is MSS clamping. The tunnel endpoint or a firewall intercepts TCP SYN packets and rewrites the MSS option to a safe value, typically 1380-1400 bytes for IPSec. This forces the source to send smaller segments that fit inside the tunnel after encapsulation, avoiding fragmentation and packet loss entirely.

# Cisco IOS IPSec MSS clamping example
interface Tunnel0
 ip address 10.0.0.1 255.255.255.0
 ip tcp adjust-mss 1379

# Palo Alto Networks
set security flow tcp-mss-adjust 1379

If clamping is not available, manually reduce the MTU on the tunnel interface or on hosts behind it. Test with ping and traceroute to confirm PMTUD is working. Use tools to calculate safe MSS values based on your tunnel overhead.

MTU/MSS Calculator
Calculate safe MSS values for your tunnel overhead and link MTU.
Open →
Practise this on today’s Daily Ops Drill — a free network task every day.
Open the app →
Free tools for this
More from the blog
169.254.x.x address on your interface: what APIPA really meansRead →OSPF cost reference bandwidth: why 100 Mbps links get cost 1Read →