I hate DSL, for today.

So, this client I've been working with is another victim of a hosted Exchange solution.

We moved them to a new office and the goddamn phone vendor that they hired put in a DSL.  Well, that's fine because it was a quick move and we had to do it quick.  And now they are putting in fucking CBeyond.  Whatever, I'm gonna punch that guy in the neck.

Well, we drop in a loaner 5XT we had sitting around but they could do everything except connect via RPC over HTTP to their Exchange provider.  Well, even better when we did traceroutes and the peering from Qwest to XO looked to be fucked.  The traces would die as it hit XO's network so we never thought to look at the firewall at first.  And let's all keep in mind that the tracert's and ping's are ICMP, not TCP.  Read on.

Well, I had the quy move outside the firewall and attempt to connect and it definitely worked fine.  So I threw in a 5GT that I had with the exact same config and it did not work either.  The pcap's I was grabbing showed shitty TCP CHECKSUM ERROR's and I thought for sure that some flow settings on the firewall were screwy.  I have seen that before where we have had to turn off tcp sequence checking (set flow no-tcp-seq-check) or tcp syn check (unset flow tcp-syn-check)  to fix issues in the past.  But that was modified accordingly with no positive results.  

So, for the fuck of it I was like, "well, I'll set the maximum segment size for the Internet bound traffic to see what happens."  The tcp-mss for encrypted traffic was set to 1350, a default for the ScreenOS version we were running.  The all-tcp-mss was at the default of 1500 so I kicked it down to 1400 (set flow all-tcp-mss 1400) and I'll be dipped in shit.  It worked.  So I moved it back to 1500 and ran a ping with 1500 byte packets (but forgot to set the no fragment flag) and it worked.  So while I'm writing this tonight I decided to move it back to 1500 and run the ping with the no fragment flag (ping -l 1500 4.2.2.2 -f).  This failed.  I found the sweet spot at 1464 bytes.  So I moved the MSS to 1464 and didn't get a login and then to 1460 and still did not.  My final tested MSS is set to 1450 right now.

I guess the reason I'm ranting about this is that I'm used to setting the encrypted tcp-mss size down because of the encryption overhead and the like, but haven't run into this before.

So if you read this, try this first and see what happens.

Word?  mkay.