In case it's of assistance, here's a tcpdump on a client machine, with it attempting to grab a deb via http from an ubuntu repo: Curiously, I see that there is a line where it receives the need-to-fragment message - it then stalls a bit later having received a couple of packets. 01:03:53.507791 IP 10.23.1.250.42126 > 255.255.255.255.7437: UDP, length 173 01:03:56.346189 IP penfold.dryft.net.17500 > 10.23.1.255.17500: UDP, length 165 01:03:56.346381 IP precise.35028 > penfold.dryft.net.domain: 32155+ PTR? 255.1.23.10.in-addr.arpa. (42) 01:03:56.346459 IP penfold.dryft.net.domain > precise.35028: 32155 NXDomain* 0/0/0 (42) 01:03:56.543791 IP 10.23.1.250.42126 > 255.255.255.255.7437: UDP, length 173 01:03:59.579831 IP 10.23.1.250.42126 > 255.255.255.255.7437: UDP, length 173 01:04:02.615831 IP 10.23.1.250.42126 > 255.255.255.255.7437: UDP, length 173 01:04:05.022421 IP precise.38845 > penfold.dryft.net.domain: 3937+ A? archive.ubuntu.com. (36) 01:04:05.022505 IP penfold.dryft.net.domain > precise.38845: 3937 9/0/0 A 91.189.91.13, A 91.189.92.202, A 91.189.92.201, A 91.189.92.200, A 91.189.92.177, A 91.189.92.176, A 91.189.92.156, A 91.189.91.15, A 91.189.91.14 (180) 01:04:05.022927 IP precise.52759 > penfold.dryft.net.domain: 714+ A? archive.ubuntu.com. (36) 01:04:05.022979 IP penfold.dryft.net.domain > precise.52759: 714 9/0/0 A 91.189.91.14, A 91.189.91.13, A 91.189.92.202, A 91.189.92.201, A 91.189.92.200, A 91.189.92.177, A 91.189.92.176, A 91.189.92.156, A 91.189.91.15 (180) 01:04:05.023466 IP precise.58912 > orobas.canonical.com.http: Flags [S], seq 3617406778, win 14600, options [mss 1460,sackOK,TS val 10552514 ecr 0,nop,wscale 7], length 0 01:04:05.023602 IP precise.42947 > penfold.dryft.net.domain: 15440+ PTR? 14.91.189.91.in-addr.arpa. (43) 01:04:05.215907 IP penfold.dryft.net.domain > precise.42947: 15440 1/0/0 PTR orobas.canonical.com. (77) 01:04:05.294031 IP orobas.canonical.com.http > precise.58912: Flags [S.], seq 2366925927, ack 3617406779, win 14480, options [mss 1460,sackOK,TS val 680841089 ecr 10552514,nop,wscale 8], length 0 01:04:05.294068 IP precise.58912 > orobas.canonical.com.http: Flags [.], ack 1, win 115, options [nop,nop,TS val 10552581 ecr 680841089], length 0 01:04:05.294481 IP precise.58912 > orobas.canonical.com.http: Flags [.], seq 1:1449, ack 1, win 115, options [nop,nop,TS val 10552581 ecr 680841089], length 1448 01:04:05.294515 IP penfold.dryft.net > precise: ICMP orobas.canonical.com unreachable - need to frag (mtu 1492), length 556 01:04:05.294626 IP precise.58912 > orobas.canonical.com.http: Flags [P.], seq 1449:2014, ack 1, win 115, options [nop,nop,TS val 10552581 ecr 680841089], length 565 01:04:05.294656 IP precise.58912 > orobas.canonical.com.http: Flags [.], seq 1:1441, ack 1, win 115, options [nop,nop,TS val 10552581 ecr 680841089], length 1440 01:04:05.294661 IP precise.58912 > orobas.canonical.com.http: Flags [.], seq 1441:1449, ack 1, win 115, options [nop,nop,TS val 10552581 ecr 680841089], length 8 01:04:05.570168 IP orobas.canonical.com.http > precise.58912: Flags [.], ack 1, win 57, options [nop,nop,TS val 680841158 ecr 10552581,nop,nop,sack 1 {1449:2014}], length 0 01:04:05.592570 IP orobas.canonical.com.http > precise.58912: Flags [.], ack 1441, win 68, options [nop,nop,TS val 680841163 ecr 10552581,nop,nop,sack 1 {1449:2014}], length 0 01:04:05.616707 IP orobas.canonical.com.http > precise.58912: Flags [.], ack 2014, win 68, options [nop,nop,TS val 680841163 ecr 10552581], length 0 01:04:05.651831 IP 10.23.1.250.42126 > 255.255.255.255.7437: UDP, length 173 01:04:08.687872 IP 10.23.1.250.42126 > 255.255.255.255.7437: UDP, length 173