> > I'd suspect the VPN first. They normally encapsulate packets, reducing the > maximum size for the original data which must then be fragmented if it was > already at the maximum packet size. If the sender sets the DF (don't > fragment) bit, which is often done unnecessarily, it will fail and have to > try to determine the largest packet size that will go through. And this > will fail if intermediate firewalls block the required ICMP packats as they > usually do in situations where VPNs are needed. You could try setting the > MTU lower on the client to work around the problem. >
Many thanks. It appears that was the problem. I was inclined to blame the horrible Cisco AnyConnect VPN myself, but i) icmp echo-requests get through fine, and ii) ssh/www/samba work apparently correctly over it. (It would still be horrible even if it turns out to be some firewall's fault :-) ) For others, the command to try under Linux is something like sudo ifconfig eth0 mtu 300, You should probably use a higher value than 300 once it works (1200?). Once again, many thanks for your help.
