• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

MTU? Problem with various CDNs

Started by bbigg, May 22, 2023, 08:13:13 AM

Previous topic - Next topic



I've recently started experiencing and issue with connections to several major destinations - seems to be anyting served by Akamai or Fastly and also Twitter.

I hope the attached trace, captured from the SIT interface of my Mikrotik router showing a Twitter connections serves as an example.

tcp setup seems to agree on MSS at 1220 (rewritten on egress).

 - but Server TLS hello comes in at 1880!
The Mikrotik's SIT interface duly sends and ICMPv6 type 2 (albeit reporting a downstream MTU of 1500, which is incorrect) - but it's completely ignored.

I can iperf3 at acceptable speeds to a host at my work and PMTU seems to work OK and ssh from an EC2 instance seems to happen OK.

I also notice that ping-ing over MTU will generate ICMP type 2 from the tunnelserver address.(Lisbon).. so how on earth are these packets getting through!?

More importantly: can anyone think of any kind of solution? For the first time in years I've have to simply turn off IPv6 in my house.

Thanks in advance (and thanks for Tunnelbroker, which has worked flawlessly for years)


I'm having the same issues with fastly, github, and other sites- connections will often hang (only using my IPv6 tunnel). I'm on the Ashburn, VA tunnel endpoint. I've disabled the tunnel for now as it's negatively impacting the network here at home. Any updates from HE?

Thanks in advance - this has been my only problem that's persisted for more than a few weeks at a time-


Same issue in the UK, looks like an MTU issue somewhere on HE's side. I've enabled TCP-MSS clamping down to 1370 and that is working around it for the time being, can't seem to go much higher than that.


We don't drop PTBs or anything on the tunnels.

The tunnel servers are 1500 to their upstream device, and our backbone is 9000 across the board, going down to 1500 at most borders, since jumbo frames rarely exist on IXPs, and many peers choose to stay at 1500.



I do get what you're saying - I think the problem - based on what I've seen - is upstream with the CDNs.

My hope/ expectation was that you might have a little bit more weight than me as an individual in raising this as an issue to be addressed. From what I've read it looks like it's pretty intractable and tunnels/ mismatched MTUs are going to be even more of a pain in IPv6 than v4.

Of course, if someone has some magic sauce/ workaround to prove me wrong I'm most definitely not proud - I just want to solve the problem..


Fully agree with the above, just trying to get it solved. I'm not pointing any fingers, my tunnel has worked perfectly for many years and I'm grateful to HE for providing it.