[AusNOG] MTU debugging? (Or possibly just a fault with Amazon SES?)

Jeremy Visser jeremy at sunriseroad.net
Wed Jun 3 10:51:29 EST 2015


On 03/06/15 08:44, Damien Gardner Jnr wrote:
> This one is doing my head in somewhat.  I have a customer who needs 
> to receive emails from a body who use Amazon SES in the US to send 
> emails.  I can see the connections coming into the customer 
> mailserver, however they then timeout with no data after connecting.

Sounds like one or both ends are filtering the ICMP Packet Too Big messages.

If this error is specific to Amazon SES, then they could well be the ones doing this and it will be beyond your control.

If it comes to it, a hack is to lower the TCP MSS by mangling the TCP SYN packets on both ends of the tunnel.  This has the added bonus of saving a RTT by not needing to wait for the ICMP message.

Linux example:

  # iptables -t mangle -A FORWARD \
     -o tun0 \
     -p tcp \
     --tcp-flags SYN,RST SYN \
     -j TCPMSS --set-mss=1412

Cisco example:

  interface Tunnel0
   ip tcp adjust-mss


More information about the AusNOG mailing list