← Back
Cloudflare
Cloudflare One Client gains Dynamic Path MTU Discovery to prevent silent packet drops
Cloudflare · featuresdkperformanceplatform · blog.cloudflare.com ↗

Solving the "Silent Drop" Problem

The Cloudflare One Client now implements Dynamic Path MTU Discovery (PMTUD) to address a persistent networking challenge: when packets exceed a network's maximum transmission unit (MTU), routers may silently drop them instead of sending error notifications. This "PMTUD Black Hole" causes mysterious connection hangs during file uploads, video calls, and SSH sessions, with no clear indication of the underlying issue.

How It Works

Rather than passively waiting for ICMP feedback messages that may never arrive—especially when firewalls block them—Cloudflare's implementation actively probes the network path:

  • Active probing: The client sends encrypted packets of varying sizes to detect the exact MTU limit
  • Dynamic adaptation: The virtual interface MTU automatically adjusts based on real-time network conditions
  • Seamless transitions: Users moving between networks (e.g., Wi-Fi to cellular) experience no interruption as the client re-validates capacity

The feature leverages Cloudflare's open-source QUIC library and the MASQUE protocol built into the One Client, enabling end-to-end path interrogation without relying on fragile legacy feedback mechanisms.

Real-World Impact

This enhancement is particularly valuable for mission-critical scenarios:

  • First responders: Vehicle-mounted routers navigating complex NAT environments and tower handoffs maintain stable connections to critical systems like Computer Aided Dispatch (CAD)
  • Hybrid workers: Remote employees in restrictive network environments (hotels, double-NAT scenarios, legacy middleboxes) experience stable video calls and file transfers without manual intervention
  • Specialized networks: Devices on LTE/5G, satellite links, and public safety networks like FirstNet can operate reliably despite sub-1500-byte MTU constraints

Availability

Path MTU Discovery is available immediately for all Cloudflare One Client users employing the MASQUE protocol. The feature supports MTUs above 1281 bytes and is fully documented in Cloudflare's deployment guides.