SSH worked. ping worked. Web pages loaded their first packet and then hung forever, half-rendered, spinner turning. Some sites were fine, some were broken, and the pattern made no sense until it made all the sense in the world.
This is the classic MTU shape: small things pass, big things vanish. The handshake is tiny so it completes. The first proper data packet is large, exceeds the path MTU somewhere along the way, needs fragmenting, and the "please fragment" ICMP message gets eaten by a firewall that's blocking ICMP wholesale. So nothing fragments, nothing gets through, and nothing tells you why. The connection just sits there politely waiting for packets that will never arrive.
The cause was a tunnel I'd stood up the week before. Encapsulation eats into your usable MTU, and I'd left the interface at 1500 like everything else, so frames that fit on the LAN were too big the moment they hit the tunnel. You can find the ceiling by hand:
ping -M do -s 1472 192.0.2.1 # 1472 + 28 = 1500, works
ping -M do -s 1473 192.0.2.1 # fails: "message too long"
Walk the size down until it stops complaining, add the 28 bytes of headers back, and that's your path MTU. I set the tunnel interface to 1420, clamped MSS on the firewall for good measure, and the half-loaded pages snapped into life.
MTU is the silent killer because it never throws a clean error. It just makes some things slow, some things broken, and all of it intermittent. Whenever "small works, large hangs," stop guessing and check the MTU first. It's almost always the MTU.