Fix MTU Mismatch Causing PMTU Black Hole on a Windows 11 VPN
🔍 WiseChecker

Fix MTU Mismatch Causing PMTU Black Hole on a Windows 11 VPN

by

Quick fix: When VPN MTU is smaller than the LAN MTU and the network drops ICMP, Path MTU Discovery fails — small packets work, large packets disappear. Set Windows’ MTU on the VPN adapter to a known-safe value (1300 or lower) via netsh interface ipv4 set subinterface “VPN Connection” mtu=1300 store=persistent.

You connect to the VPN. Web browsing works for small pages but large downloads hang halfway. ping works; ssh works to a server but file transfers stall. Some sites work fully, others time out. This is the classic Path MTU black hole: large IP packets get dropped silently because they exceed an intermediate link’s MTU but ICMP “packet too big” messages are blocked.

Symptom: VPN connection works for small packets but large transfers hang.
Affects: Windows 11 with VPN where Path MTU Discovery is broken.
Fix time: 15 minutes.

ADVERTISEMENT

What PMTU black hole means

IP supports fragmentation: if a packet exceeds the next link’s MTU, the router fragments or returns ICMP “Fragmentation Needed.” Modern IP avoids fragmentation with the “Don’t Fragment” bit and relies on ICMP to negotiate a smaller MTU. Many firewalls drop ICMP, breaking that signaling. Result: packets exceed MTU and get dropped without anyone telling the sender. The sender retransmits, the same packets exceed MTU, lost again. Connection stalls.

Method 1: Set adapter MTU manually

  1. Open elevated Command Prompt.
  2. List interfaces: netsh interface ipv4 show subinterfaces.
  3. Find your VPN connection name (in quotes).
  4. Set MTU: netsh interface ipv4 set subinterface “Your VPN” mtu=1300 store=persistent.
  5. The setting persists. Test large transfers.

ADVERTISEMENT

Method 2: Find the right MTU by testing

  1. Ping with don’t-fragment, increasing size: ping -f -l 1400 server.example.com.
  2. If it fails with “Packet needs to be fragmented but DF set,” reduce size by 10 and retry.
  3. Find the largest size that succeeds; add 28 (IP+ICMP header) for actual MTU.
  4. Set the VPN MTU to that value via Method 1.

Method 3: Disable Path MTU Discovery system-wide

  1. Open elevated PowerShell.
  2. Run: netsh interface ipv4 set global mtu=disabled (Windows uses static MTU per interface).
  3. Set each interface’s MTU explicitly.

Verification

  • Large file download (a few hundred MB) completes without stall.
  • Large pages load fully without hang.
  • netsh interface ipv4 show subinterfaces shows the new MTU value.

If none of these work

If lowering MTU doesn’t help, the issue may be TCP MSS (Maximum Segment Size) instead. For VPN traffic, set TCP MSS clamping at the VPN endpoint. Some VPN clients have an internal MTU setting that overrides Windows’ — check the VPN client’s advanced settings.

Bottom line: PMTU black holes silently drop large packets. Set a conservative MTU (1300–1400) on the VPN adapter to bypass the negotiation failure. The trade-off is slight per-packet overhead.

ADVERTISEMENT

← Back to WiseChecker HomeMore in Windows & PC

🔍 Recommended for You