On 27 Sep 2002, John Hawley wrote:
> Did something change in the kernel between 2.4.17 and 18 concerning
> ICMP fragmentation?  I've been noticing (and getting complaints from
> local users) that some web sites are unaccessable.  Sounds like the
> problem of some ISP's / routers not allowing ICMP fragmentation
> packets.  I checked some of my firewalls and the problem appears to
> show up on kernels 2.4.18 and higher.
>
> Anyway, the work around according to kernel documentation is to add
> this line to the iptables rule set:
>
> iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \
> -j TCPMSS --clamp-mss-to-pmtu
>
> This does appear to work for clients behind the firewall going to the
> Net.  However, this does not fix the problem for the fw box itself.
>
> Anyone else run into this and find a fix?

got tcp ecn enabled?

cat /proc/sys/net/ipv4/tcp_ecn

if it's 1, set it to 0.

read the kernel docs for reasons why..

-- 
Nate Carlson <natecars at real-time.com>   | Phone : (952)943-8700
http://www.real-time.com                | Fax   : (952)943-8500