Question ISP MTU Issues?


Oct 22, 2009
I work from home as a network engineer and live in a somewhat rural area. We have line of sight based internet that uses LTE to connect from a Telrad CPE9000 mounted on my home back to a tower on a hill a few miles away. Its 25mb service and works for most things except for a few items in my company's lab environment and some customer equipment. A lot of my work is in Cisco APICs on customer's ACI fabrics, and when connected to my home wifi, I cannot access the APIC GUI. I will get the page stating the connection is not secure but when I click to proceed, it just sits and never loads the login page.

If I tether my computer to my phone and use its (verizon) LTE, I can access everything just fine and I can ping with a 10byte large MTU size. On my ISP I can ping equipment with a max of 1362 and when Tethered to my phone, I can ping with a max of 1372. I've opened several tickets with my ISP and have spoken to senior engineers & they have assured me that the path is allowing jumbo frames, and my home router is set to its max (1500 bytes). I have run a wireshark and see a lot of TCP retransmits and duplicate Acks. I have all security and firewalls turned off on both my laptop, home router, and the telrad device (I have mgmt access to it).

Another interesting thing is that if I tether to my phone, and login to the APIC, but then switch back to my wifi, I can typically browse around the APIC GUI just fine. Another thing I noticed is when using Cisco Anyconnect VPN client for certain customers, I can access their ACI equipment fine, but when using global protect vpn client, I can't. Unfortunately, 99% of my customers use Global Protect.

I'm at a loss as to what I should check next or have my ISP check so I wanted to see if anyone here had suggestions or ideas.
In general the software should tolerate any MTU. Part of the opening of a TCP session is to discover the maximum MTU in the path. Other than some overhead you seldom see issues unless you have the do not fragment flag set and try to set too big a MTU.

Most times it is some form of VPN In the path that is causing this that is no informing the end stations of the mtu restrictions. Could be a firewall filtering these messages.

Generally the solution is to just set the MTU on your end manually to some value lower than what the actual number is. That way you device will negotiate this lower value with the far end.

Maybe try to find out what is setting the do not fragment flag and why it is doing that. Its not like the old days where the cpu is burdened by reassembly.
Reactions: SamirD