HiWe have a 2003 server using RRAS to provide a L2TP VPN. This acts as "black hole router" on some paths: if we use "ping -f -l NNN from any host on the server LAN to a VPN client (i.e. via the RRAS server) , then for NNN<=1352 we get a normal ping response, and for NNN>=1373 we get "Packet needs to be fragmented but DF set.", but for 1353<=NNN<=1372 we get no response. Wireshark on the VPN server LAN interface shows theping requests but no responses.Using the same procedure on the VPN server itself (again pinging the VPN client), then we get normal responses up to 1372 and then "Packet needs to be fragmented but DF set." for 1373. In the opposite direction, pinging from the VPN client to either the VPN server or a LAN host beyond it, we get normal reponses up to 1352, then "Packet needs to be fragmented but DF set." So I suspect the problem is in an asymmetry in MTU one against the other, but I'm not sure what to do about it. Funny thing is that this only seems to have been a problem in the last few days, but we can't identify any particular change that has caused it. Some monthly Windows Updates the other day of course, but none looked related.Any help greatly appreciated.David

MTU will get negotiated at 3 way handshake, or while socket will get established. I am not sure if you were facing any issue or just trying to understand why its behaving in such a way.If you have wireshark, check if PING request reached to VPN client or Server never forwarded PING request to VPN client.

Thanks for your help.This is causing an issue for VPN clients connecting to an NLB web app - some HTTP requests fail, which we presume is due to packet loss for certain packet sizes.I ran Wireshark on the VPN client and pinged the VPN client from the LAN. Icould see requests arriving at the VPN client for ping sizes up to 1372, and responses up to size 1352, but no responses for request sizes 1353-1372. Can we configure the VPN to MTU 1380 (corresponding to ping size 1352), to force the smaller MTU on both directions?

Different VPN solution will allow different MTU size.As VPN solution will add encrypted header which will hide data or IP (tunnel mode), it will be diffcult to say what max MTU supported in specific scenario.But i have seen most VPN allow packet size of 1260 (Ethernet MTU(1500) - IP header(20 bytes) - TCP header (20 bytes) - VPN header (??) = supported MTUIn your case, it seems VPN solution only supports MTU = 1352, When we ping above 1372, does client respond back stating DF bit set? or some router in-between respond back on behalf of client?