I had a really thorny problem recently where packets of a certain size were disappearing in action when being sent from Site A to Site B.
After much troubleshooting, it looked to be a problem with the TCP MSS between the two sites. What was very tricky though was that the MTU seemed to be getting identified correctly when going from Site B to Site A, but not in the other direction.
The symptom was that many AD-related services were simply not communicating over the VPN, but the VPN was definitely up. Sending ping packets of different sizes, with Do Not Fragment enabled, showed the following:
From Site A to Site B
Payload Size 1378 bytes: no problem
Payload size 1379 – 1394 bytes: 100% packet loss
Payload size 1395 and up: ICMP reply saying packets needed to be fragmented, but Do Not Fragment was set.
From Site B to Site A
Payload Size 1378 bytes: no problem
Payload size 1379 and up: ICMP reply saying packets needed to be fragmented, but Do Not Fragment was set.
After talking to the ISP, it seems that their router was misconfigured, it had an MTU set, but no MRU set (this is all from the point of view of Site B)
I was able to work around the issue by changing the MTU on the NIC on the Windows Server at Site A. To do so, open a Command Prompt as Administrator
Type: netsh interface ipv4 show subinterface
This will show you the active network interfaces. Then, to configure the MTU, type in:
netsh interface ipv4 set subinterface “Local Area Connection” mtu=1406 store=persistent
Where “Local Area Connection” is the full name of the NIC as shown by show subinterface.
From what I’ve seen, people are saying you need to reboot for it to take effect, however in my testing on Windows Server 2012 R2, it took effect immediately.
And, just for my reference, with the maximum size of an unfragmented ping being 1378 bytes, you then add 28 bytes to this for the IP header, giving a MTU of 1406