Juju 3.6 TLS handshake timeout, preventing migration.

Everywhere that makes a TLS connection from what I can see.

I just set the go version to 1.22 in go.mod. I didn’t test any other functionality, so I wouldn’t rely on it working as expected.

The real fix here is getting people to configure their networks correctly, but that’s obviously not a realistic goal. One thing that would probably vastly reduce the likelihood of these things is if Canonical’s servers didn’t advertise that they accept jumbo frames in the TCP handshake.

My understanding is that, essentially, if ingress and egress for public API’s is done over interfaces with a 1500 MTU, this should be safe even if the end user has a botched configuration. This is because then the TCP handshake would ensure clients don’t attempt to send jumbo frames and Canonical’s API servers wouldn’t send jumbo frames back to them either, so we don’t have to rely on ICMP doing its magic unimpeded, and we don’t have to hope PMTUD works as intended.

So, I’ll let @awnns tell you the full story - but setting the MTU to 1500 on the controller machines explicitly stabilizes the situation. It took us about 2,5 weeks to get unblocked on this. Such a nightmare.