← Back
Cloudflare
Cloudflare One Client adds Dynamic Path MTU Discovery to resolve silent packet drops
Cloudflare · featureplatformperformance · blog.cloudflare.com ↗

Dynamic Path MTU Discovery Now Available

Cloudflare has implemented Path MTU Discovery (PMTUD) in the Cloudflare One Client, addressing a long-standing networking problem where secure packets fail silently on networks with strict packet size limitations. Instead of relying on legacy ICMP feedback mechanisms that firewalls often block, the client now proactively probes the network path to discover optimal packet sizes.

The Problem: Silent Packet Drops

The "PMTUD Black Hole" occurs when encrypted packets exceed a network's maximum transmission unit (MTU) limit, but routers or middleboxes silently drop the packets without sending error feedback. This leaves applications in a "zombie" state waiting for responses that never arrive. The issue intensifies with modern encryption protocols that add metadata overhead, leaving less room for actual data within standard 1500-byte packets—particularly problematic on LTE/5G networks and specialized infrastructure like FirstNet that enforce lower MTU limits.

Active Probing Over Passive Waiting

Rather than waiting for ICMP error messages that may never arrive, Cloudflare's solution uses active, end-to-end interrogation built on the MASQUE protocol and QUIC. The client sends encrypted test packets of varying sizes to the Cloudflare edge to identify the exact MTU capacity of the network path. Once the optimal size is determined, the client dynamically resizes its virtual interface MTU and periodically validates the path capacity.

This enables seamless transitions when users move between networks—from a 1500-byte Wi-Fi connection to a 1300-byte cellular backhaul—without application interruption. The negotiation happens transparently in the background.

Real-World Impact

The improvement has direct implications for mission-critical use cases: first responders using vehicle-mounted routers can maintain stable CAD system connections during tower handoffs, and hybrid workers navigating complex international networks avoid choppy video calls and stalled file transfers.

Getting Started

Path MTU Discovery is available now for all Cloudflare One Client users with the MASQUE protocol enabled, at no additional cost. Detailed deployment documentation is available in the Cloudflare developer guides.