09-16-2022 07:19 AM
Thank you for reply @Doyenadmin
The MTU issue is there regardless you apply permit access list or not. When the permit access list is not applied, it is masking the issue. What I think is happening is as follows:
The initial TCP 3 way handshake initiated by your PC is completed. These packets are small and do not carry any data, then your PC send SSL client Hello and Firewall replies with Server hello. The packet size is large as it contains all SSL related information. The size of this packet is exceeding MTU between Firewall and your PC while the DF bit is set. The node that is dropping this packet is sending back to Firewall ICMP Type 3 Code 4 to lower MTU using its own interface IP address as a source and this is part where the issue with permitted IP addresses comes in. The Firewall accepts only source IP addresses that you allow and intermediate node that is asking for lowering MTU is not in the permitted IP address list. In nutshell, if you knew the IP address of this node and put it in the permit list, then you would not have to lower MTU. With the list in place, this is breaking PMTU Discovery. This kind of issue is typically something with ISP that is out of your control.
Kind Regards
Pavel
