Because Zerotier uses UDP, it doesn’t do path MTU discovery. Other applications just don’t see packets because there’s no way for them to know the packets are dropping (at least our packet captures show these failures for kerberos for instance). We didn’t see these issues using OpenVPN because we could use TCP which manages the MTU. While we’re working on setting up our own TCP relay for Zerotier, it does seem like this is a potential issue that zerotier ought to handle if they’re doing UDP, or it should actually use TCP by default to take care of this.
Specifically, we know “ping -s 1364 172.20.175.126” works but not with 1365 or above. Naively it looks like spectrum has their own layer of encapsulation and isn’t doing fragmentation, there’s some discussion of similar issues in the zerotier issues.
I guess from what I’ve seen, we’re stuck with one of two not super recommended things - either a TCP proxy, or setting the network MTU lower than 1364. Is there any other guidance?