https://community.cisco.com/t5/network-security/differences-btn-sysopt-connection-tcp-mss-tcp-map-exceed-mss/m-p/737706#M1001099 <P>Hi All,</P><P></P><P>I am a bit confused, we are looking into troubleshooting some issues with MSS and I came across 2 parameters which I am not sure if they both serve the same purpose....</P><P></P><P>1) sysopt connection tcpmss 1380</P><P>According to cisco description, this sets the maximum mss to value of 1380. Does this implies that in a connection from one interface leg of the firewall to another, the MSS value btn two hosts will never "negotiate" above 1380? [in a sense Firewall, intercepts messages and changes TCP MSS value to 1380 during the TCP Handshake?]. Or is this feature only complementary to IPSEC and VPN issues?</P><P></P><P>2) tcp-excced warning. TCP Exeed warmning occurs if btn a handshake the receiver or the sender transmit data with a value higher or lower than the value mutually agreed during TCP Handshake. Has though this "mutually" agreed value have to do anything with the value of the sysopt? or it "stands" by itself? </P> Mon, 11 Mar 2019 10:54:58 GMT pavlosd 2019-03-11T10:54:58Z https://community.cisco.com/t5/network-security/differences-btn-sysopt-connection-tcp-mss-tcp-map-exceed-mss/m-p/737706#M1001099 <P>Hi All,</P><P></P><P>I am a bit confused, we are looking into troubleshooting some issues with MSS and I came across 2 parameters which I am not sure if they both serve the same purpose....</P><P></P><P>1) sysopt connection tcpmss 1380</P><P>According to cisco description, this sets the maximum mss to value of 1380. Does this implies that in a connection from one interface leg of the firewall to another, the MSS value btn two hosts will never "negotiate" above 1380? [in a sense Firewall, intercepts messages and changes TCP MSS value to 1380 during the TCP Handshake?]. Or is this feature only complementary to IPSEC and VPN issues?</P><P></P><P>2) tcp-excced warning. TCP Exeed warmning occurs if btn a handshake the receiver or the sender transmit data with a value higher or lower than the value mutually agreed during TCP Handshake. Has though this "mutually" agreed value have to do anything with the value of the sysopt? or it "stands" by itself? </P> Mon, 11 Mar 2019 10:54:58 GMT https://community.cisco.com/t5/network-security/differences-btn-sysopt-connection-tcp-mss-tcp-map-exceed-mss/m-p/737706#M1001099 pavlosd 2019-03-11T10:54:58Z https://community.cisco.com/t5/network-security/differences-btn-sysopt-connection-tcp-mss-tcp-map-exceed-mss/m-p/737707#M1001101 <HTML><HEAD></HEAD><BODY><P>I think the sysopt connection tcpmss value is only for IPsec and VPN. The tcp-exceed warning has nothing to do with the sysopt connection tcpmss value.</P></BODY></HTML> Tue, 14 Aug 2007 17:08:23 GMT https://community.cisco.com/t5/network-security/differences-btn-sysopt-connection-tcp-mss-tcp-map-exceed-mss/m-p/737707#M1001101 wong34539 2007-08-14T17:08:23Z https://community.cisco.com/t5/network-security/differences-btn-sysopt-connection-tcp-mss-tcp-map-exceed-mss/m-p/737708#M1001104 <HTML><HEAD></HEAD><BODY><P>Hi All,</P><P></P><P>The sysopt connection tcpmss value is related to all tcp connection through the pix/asa. Even if they are tunneled through VPN or if they go from local to local LAN PIX/ASA interfaces.</P><P></P><P>The tcp-exceed, is there to verify that the mss value agreed btn two peers is not violated. So the maximum tcp-exceed value the PIX/ASA will allow is the value of "sysopt connection tcpmss value" + 20 (TCP HDR) + 20 (IP HDR).</P><P></P><P>If someone is not using any VPN tunneling then it is safe to change the value of tcpmss to 1460 (+20 +20 = 1500).</P><P></P><P>Regards.</P></BODY></HTML> Sat, 01 Sep 2007 13:49:45 GMT https://community.cisco.com/t5/network-security/differences-btn-sysopt-connection-tcp-mss-tcp-map-exceed-mss/m-p/737708#M1001104 pavlosd 2007-09-01T13:49:45Z