← Back
Cloudflare
Cloudflare One Client now supports Dynamic Path MTU Discovery for improved network resilience
Cloudflare · featureplatformperformance · blog.cloudflare.com ↗

Solving the "Silent Drop" Problem

Network connectivity often fails silently when encrypted packets exceed the maximum transmission unit (MTU) supported by a network path. The "PMTUD Black Hole" occurs when older routers drop oversized packets but fail to send back the standard ICMP feedback messages that would tell the sender to reduce packet size. Users experience hung connections during large file uploads, video calls, or SSH sessions, with no clear cause.

This problem is particularly acute for the Cloudflare One Client, which adds encryption and metadata overhead to packets, increasing their size. While standard Ethernet typically supports 1500-byte packets, specialized networks like LTE/5G, satellite links, and first responder networks often have stricter limits (sometimes as low as 1300 bytes or less). Without proper feedback mechanisms, applications can get stuck in "zombie" states waiting for responses that never arrive.

Active Probing Replaces Passive Waiting

Rather than relying on fragile ICMP feedback loops, Cloudflare's implementation of RFC 8899 Datagram Packetization Layer Path MTU Discovery performs active, end-to-end path interrogation. The client built on the MASQUE protocol and Cloudflare's open-source QUIC library proactively sends encrypted probe packets of varying sizes to the Cloudflare edge.

The discovery process works by testing MTUs from upper bounds down to the midpoint, systematically narrowing down to the exact supported packet size. When the Cloudflare edge receives a probe, it acknowledges it; when a probe is lost, the client immediately knows the capacity limitation. The client then dynamically resizes its virtual interface MTU and periodically revalidates the path capacity to handle seamless transitions between networks.

Real-World Impact

For mission-critical users like first responders, the improvement is substantial. Vehicle-mounted routers and CAD systems that navigate complex NAT traversal and priority-routing layers can maintain sticky connections that shield applications from underlying network volatility. For hybrid workers, the feature eliminates choppy video calls and stalled file transfers by optimizing packet flow in seconds, often before users notice a change.

Getting Started

The feature is available now for free to anyone using the Cloudflare One Client with the MASQUE protocol across Windows, macOS, Linux, iOS, and Android devices. Detailed configuration documentation is available in the Cloudflare developers portal to enable PMTUD on your organization's devices.