I am currently troubleshooting an issue where some users on Windows 7 and XP systems cannot access an SSL website on our network. The same site works fine on our servers (Server 2003, completely up-to-date, and a Ubuntu Server box) and all of our OSX machines. Our gateway is a machine running ISA 2003, which provides firewall and NAT services to the network.
So far I have narrowed it down to an MTU issue - when I force a Windows 7 box to an MTU of 1100 (for example) the site works fine, but when I change the MTU back up to 1500, the site refuses to load. When doing a "ping test" with "Don't Fragment" and a specific size specified, the MTU can be determined - but it has also changed several times over the past few hours...
At the networking level, when the site refuses to load the remote server sends a TCP reset directly after (or very close to the end of) the SSL handshake.
Is there a way to force an MTU for a specific IP address? Alternatively, is there any explanation for this behaviour (perhaps a method for verifying automatic path MTU discovery is working)?
is this site remote? Does it use a site to site VPN tunnel? Many vpn tunnels you have to change the MTU, since the overhead of the tunnel packets. I have seen similar issues when sites have a GRE or IPSEC tunnel. In fact, one we didn't even know it was there, but apparently, the office used 2 different floors on a building, separated by a dozen others, and the building wouldn't let them run their own network, they had to use the buildings "public" one, so someone in networking setup a tunnel between the two routers.