Recently certain TCP connections through my router have been stalling after the connection has been setup. i.e. the connection is established but neither side sends any data or so it appears.

This is most noticeable when I visit certain websites. Web traffic to servers on port 80 is routed through my squid cache and suffers no similar stalling. However https connections are not routed through my squid, and they are the best example of this problem.

If I try to direct my browser to webmail.cornell.edu (this will redirect to a secure website for login), I get so far as having the website's title displayed (CUWebLogin), and at that point the connection inexplicably stalls.

Netstat shows the connection as established:

I'm fairly certain that packets associated with these connections are not being dropped as they are placed in a specific htb class that has the highest priority with other interactive traffic, and looking at the stats for the class indicates it hasn't dropped any packets.

This issue occurs regardless of whether my upstream is saturated. I'd appreciate any suggestions you all have.


DSL connection with Verizon
3M/768K

Might be an MTU issue. If one device on the TCP path has a smaller mtu but ICMP Fragmentation messages are blocked by a firewall then TCP will establish but then fail due to being unable to throttle back to the smaller mtu. Check MTU's on all devices from your host to the internet routers outbound interface making sure all mtu's are 1500 and that you are not using tunnels anywhere.

Adding that to my firewall/traffic shaping script seems to have fixed everything, which would imply it was an MTU issue as you suggested. However I am still at a loss as to why it just suddenly stopped working.

Thanks for the tip.

No probs, MTU issues are getting more and more common now with the uptake of IPSec and GRE tunnels.

Be aware though that the MSS fix only works for TCP. If you have an app that sets Do-Not-Fragment on UDP or any other IP protocol it will suffer the same fate.