On 2016-04-26, lilit-aibolit <[email protected]> wrote: > On 04/25/2016 06:13 PM, Marc Peters wrote: >> Am 04/25/16 um 16:00 schrieb lilit-aibolit: >>> Hi list. >>> I've typical site-to-site IPsec tunnel. >>> On rare occasions users got infinite loop in their browser >>> while opening web-sites in opposite endpoints, however >>> in same time ping works well from one network to other. >>> SSH connection to remote hosts looks like you're almost >>> entered, but it freezes and can only interrupt connection. >> I had similar issues some years ago with branch offices and a simple >> >> """ >> match in all scrub (random-id no-df) >> """ >> >> in the /etc/pf.conf on each host solved this for me (the no-df part was >> the important bit). >> >> HTH, >> Marc >> > Thanks for your answer. > I already have this line in pf.conf on all machines: > > >>match in all scrub (no-df)<< > >
If your problem is with TCP packets, you can add "max-mss 1300" or similar. If it's with other protocols and the no-df approach doesn't help, you may need to reduce MTU on all machines.
