When client downloads a file from an HTTP server behind the DNAT,
Here is the sequence of events that happened
1. The usual TCP connection establishment (SYN, SYN ACK, ACK) proceeds normally; gateway remaps the server's IP correctly both ways.
2. The client sends a single TCP segment with the HTTP GET and this is also DNATted correctly to the server.
3. The server sends a packet(sometimes exactly the size of two packets with the configured MTU) without segmenting and the packet reaches gateway. But it does not cross the gateway.
4. Gateway sends an ICMP Type 3 Code 4 (destination unreachable - fragmentation needed) packet back to server.
5. After a considerable delay server resends the packet dividing into two segments from Event 3, this time alone.
6. Gateway forwards the packet to client.
7. Client ACKs this, and the transfer continues, albeit excruciatingly slowly, since subsequent segments go through roughly the same pattern of being rejected, timing out, being resent and then getting through.
This happens when gateway and server are present on the same host.
This issue was solved by
1. disabling tso on server
2. Moving the server to a different host other than gateway unit.