MTU problems accessing secure.ssa.gov

[fenton]

I have been having what are apparently MTU problems accessing secure.ssa.gov. Specifically, when I go to https://secure.ssa.gov/RIL/ (which is used when logging in), the TCP connection opens, I send an SSL client hello, and then nothing (except keepalives). I just got off the phone with a bunch of people from Social Security and they confirmed that they are sending out a 1514-byte server hello in response, which I'm not receiving because of MTU, but their firewall engineer said they also aren't seeing an ICMP Packet Too Big message at the external interface to the firewall.

My tunnel is set up with a 1280-byte MTU, just to be conservative. Is there any way to be sure that the HE end of my tunnel is sending PTB messages as it should?

[fenton]

After working with SSA and Hurricane Electric support, we discovered that SSA had blocked the IPv6 network of the router from which the Packet Too Big messages were being sent. The block resulted from a DDoS incident last summer, and has been resolved.

Thanks to both SSA and HE for their help resolving this.