diff --git a/cstp.c b/cstp.c
index c1311981..8cca637a 100644
--- a/cstp.c
+++ b/cstp.c
@@ -886,18 +886,21 @@ int cstp_mainloop(struct openconnect_info *vpninfo, int *timeout)
 	   and add POLLOUT. As it is, though, it'll just chew CPU time in that
 	   fairly unlikely situation, until the write backlog clears. */
 	while (1) {
-		int len = MAX(16384, vpninfo->deflate_pkt_size ? : vpninfo->ip_info.mtu);
-		int payload_len;
+		/* Some servers send us packets that are larger than
+		   negotiated MTU. We reserve some extra space to
+		   handle that */
+		int receive_mtu = MAX(16384, vpninfo->deflate_pkt_size ? : vpninfo->ip_info.mtu);
+		int len, payload_len;
 
 		if (!vpninfo->cstp_pkt) {
-			vpninfo->cstp_pkt = malloc(sizeof(struct pkt) + len);
+			vpninfo->cstp_pkt = malloc(sizeof(struct pkt) + receive_mtu);
 			if (!vpninfo->cstp_pkt) {
 				vpn_progress(vpninfo, PRG_ERR, _("Allocation failed\n"));
 				break;
 			}
 		}
 
-		len = ssl_nonblock_read(vpninfo, vpninfo->cstp_pkt->cstp.hdr, len + 8);
+		len = ssl_nonblock_read(vpninfo, vpninfo->cstp_pkt->cstp.hdr, receive_mtu + 8);
 		if (!len)
 			break;
 		if (len < 0)
diff --git a/esp.c b/esp.c
index 30de764d..e9760c43 100644
--- a/esp.c
+++ b/esp.c
@@ -106,10 +106,14 @@ int esp_mainloop(struct openconnect_info *vpninfo, int *timeout)
 	struct esp *esp = &vpninfo->esp_in[vpninfo->current_esp_in];
 	struct esp *old_esp = &vpninfo->esp_in[vpninfo->current_esp_in ^ 1];
 	struct pkt *this;
-	int receive_mtu = MAX(2048, vpninfo->ip_info.mtu + 256);
 	int work_done = 0;
 	int ret;
 
+	/* Some servers send us packets that are larger than negotiated
+	   MTU, or lack the ability to negotiate MTU (see gpst.c). We
+	   reserve some extra space to handle that */
+	int receive_mtu = MAX(2048, vpninfo->ip_info.mtu + 256);
+
 	if (vpninfo->dtls_state == DTLS_SLEEPING) {
 		if (ka_check_deadline(timeout, time(NULL), vpninfo->new_dtls_started + vpninfo->dtls_attempt_period)
 		    || vpninfo->dtls_need_reconnect) {
diff --git a/gpst.c b/gpst.c
index 1cd98644..97207f9f 100644
--- a/gpst.c
+++ b/gpst.c
@@ -1014,7 +1014,10 @@ int gpst_mainloop(struct openconnect_info *vpninfo, int *timeout)
 		goto do_reconnect;
 
 	while (1) {
-		int receive_mtu = MAX(2048, vpninfo->ip_info.mtu + 256);
+		/* Some servers send us packets that are larger than
+		   negotiated MTU. We reserve some extra space to
+		   handle that */
+		int receive_mtu = MAX(16384, vpninfo->ip_info.mtu);
 		int len, payload_len;
 
 		if (!vpninfo->cstp_pkt) {