 | 1 | initial version |
It seems the server is sending a TCP segment of 1413 bytes that does not reach the client. Smaller packets do reach the client, so it looks like a problem with the MTU/MSS over the VPN connection.
The MSS in the SYN and the SYN/ACK packets are 1460 on each end, this means they have not been altered by the VPN devices. But as they add a tunneling header, best practice is to adjust the MSS accordingly so that each side knows what size packets can be transported over the VPN without introducing fragmentation.
The IP packet from the server with the 1413 TCP segment has the don't fragment bit set, so I expect it needed to be fragmented by the VPN device on the server side and was therefor dropped. This should trigger an ICMP fragmentation needed, but DF bit set message, but often those get filtered out by the firewall and therefor the server can't recover from this.
Why it does work on the initial connection and why it does work if you change the IP address is something else to investigate, but for a quick fix I would:
