Maximum Segment Size (MSS) is set by end points during initial TCP
handshake. In special circumstances, router can step in to alter MSS.
Let’s look at such a scenario when two hosts communicate through
an SSL tunnel. End points sees a path MTU of 1500 byte, and set MSS to be 1500.
However, SSL adds extra overhead. Therefore, when a 1500 byte packet arrives at
tunnel end points, it becomes a little larger. Furthermore, SSL often sets DF
(Do not Fragment). Since the packet is now larger than 1500 byte, with DF set,
the router drops it. This results in communication failure between hosts (while
ping and traceroute appears to be working). An extended ping with varying packet
size will verify this exact behavior.
