I am moving a PPPOE-based internet connection from an FTDv running 6.4.0.8-28 on ESXi to a 6.6.5-13 FTDv running on the same ESXi host. The only other difference is the old was managed by an FMC, the new is managed locally (FDM).

On the original FTD I never changed the outside interface MTU (it's at 1500). On the new FTD I tried lowering the MTU to 1452.

On the old connection, Path MTU Discovery works.

Verification: I cannot ping out to the internet with a full 1500-byte packet with the DF bit set, but I have no connectivity issues (standard web browsing) because (I assume) PMTUD works and lowers my PC's transmission units to stay under what the pppoe connection supports.

When I cut over to the new connection (FTDv 6.6) there are many websites that don't work. Looking at the ASP drops on the FTDv I see it dropping packets with errors stating fragmentation required but df-bit set.

To confirm the issue I hard-coded my PC MTU to 1450 and I have no problem browsing websites. As soon as I set it to 1500 I have problems. It sounds to me like PMTUD is broken when traffic flows through the new FTD.

I also tried a 7.0 FTDv with the same results.

On the new connection I did a packet capture on my PC. I can see packets leaving my PC @ 1514 bytes. I see ICMP Destination unreachable (Fragmentation needed) packets from the firewall.

As soon as I move the connection to the old firewall, no change to the PC, I run a capture and never see a single ICMP Dest Unreachable and the max size I ever see leave the PC is 1434 bytes.

I don't get what's happening, any thoughts?

Thanks!