The symptom looked impossible. SSH worked. ping worked. But a git clone hung at the same point every time, and a particular page would not load past its first few kilobytes. Things that send small packets were fine. Things that send big ones were not. That pattern, half-working in a way that tracks packet size, is MTU until proven otherwise.
The proof is one command. Send a big packet with the don't-fragment bit set and see if it survives:
ping -M do -s 1472 192.0.2.1
1472 bytes of payload plus 28 bytes of headers is exactly 1500, the standard Ethernet MTU. If that comes back fine but bumping -s by one fails, you have found your ceiling. In my case even 1472 failed, because a tunnel in the path was eating 50-odd bytes of overhead and the effective MTU was nearer 1400. Nothing logged an error. The packets were simply dropped, silently, because the path could not carry them and Path MTU Discovery was being swallowed by a firewall somewhere that blocked the ICMP that would have told me so.
The fix was to drop the interface MTU to match the path. Unglamorous. But it is worth keeping the symptom filed away, because MTU mismatches never announce themselves. They just make a subset of your traffic quietly disappear and let you blame everything else first.