George Bourozikas wrote:


 >> 2)  short packets (ping's, SSH negotiations) traverse the link fine
 >>
 >> 3)  Longer packets get dropped.  I have confirmed this with tcpdump.  When I
 >> change the client MTU to 1400 everything works fine, but I need a more
 >> systemic solution because I will not have access to all potential clients.


If the problem is fixed by MTU size munging (thereby avoiding fragmented
packets) it seems reasonable to suspect that fragmented packets
are being dropped -- by a firewall rule?