https://community.cisco.com/t5/network-security/pix-6-3-ipsec-tunnels-and-mss/m-p/488748#M1055420 <HTML><HEAD></HEAD><BODY><P>sysopt connection tcpmss <VALUE></VALUE></P><P></P><P>The default <VALUE> is 1380.</VALUE></P><P></P><P>Good luck - Scott</P></BODY></HTML> Thu, 02 Mar 2006 14:49:53 GMT scottvivian 2006-03-02T14:49:53Z https://community.cisco.com/t5/network-security/pix-6-3-ipsec-tunnels-and-mss/m-p/488744#M1055407 <P>I have been looking to see if PIX 6.3 has the same capabilites as listed in the following link.</P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/customer/tech/tk827/tk369/technologies_white_paper09186a00800d6979.shtml" target="_blank">http://www.cisco.com/en/US/customer/tech/tk827/tk369/technologies_white_paper09186a00800d6979.shtml</A></P><P></P><P>Basically we deploy IPSec tunnels to various clients, on the routers we have found it is very effective to implment the following on our routers to account for the additional headers added by a tunnel...</P><P></P><P>interface Tunnel0</P><P> ip tcp adjust-mss 1370</P><P></P><P>This uses TCP to adjust the host MTU so I don't have worry about packets being fragmented to pass through the tunnel.</P><P></P><P>I was wondering if anyone know if there is an equilivant command on a PIX running 6.3 to do the same or if the perform this type of correction by defualt. I am only able to find this on the routers, nothing either way on the PIX.</P><P></P><P>Thanks!</P> Fri, 21 Feb 2020 08:40:18 GMT https://community.cisco.com/t5/network-security/pix-6-3-ipsec-tunnels-and-mss/m-p/488744#M1055407 pruhnke79 2020-02-21T08:40:18Z https://community.cisco.com/t5/network-security/pix-6-3-ipsec-tunnels-and-mss/m-p/488745#M1055408 <HTML><HEAD></HEAD><BODY><P>To my knowledge , FragGuard and virtual reassembly is a feature that provides IP fragment protection. This feature performs full reassembly of all ICMP error messages and virtual reassembly of the remaining IP fragments that are routed through the PIX Firewall. Virtual reassembly is currently enabled by default. This feature uses syslog to log any fragment overlapping and small fragment offset anomalies, especially those caused by a teardrop attack. </P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a0080172790.html" target="_blank">http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a0080172790.html</A></P></BODY></HTML> Tue, 31 Jan 2006 17:37:05 GMT https://community.cisco.com/t5/network-security/pix-6-3-ipsec-tunnels-and-mss/m-p/488745#M1055408 mchin345 2006-01-31T17:37:05Z https://community.cisco.com/t5/network-security/pix-6-3-ipsec-tunnels-and-mss/m-p/488746#M1055413 <HTML><HEAD></HEAD><BODY><P>There is a sysopt command on the PIX that does this, its set to 1460 by default I think. Do `sh sysopt' all the options are listed there.</P><P></P><P>Andy</P></BODY></HTML> Mon, 13 Feb 2006 20:37:22 GMT https://community.cisco.com/t5/network-security/pix-6-3-ipsec-tunnels-and-mss/m-p/488746#M1055413 aacole 2006-02-13T20:37:22Z https://community.cisco.com/t5/network-security/pix-6-3-ipsec-tunnels-and-mss/m-p/488747#M1055416 <HTML><HEAD></HEAD><BODY><P>you probably already found this, but to add my $0.02 to the table. the command is "sysopt connection tcpmss 1370", and the default MSS value for the PIX is 1380. i've only seen this useful in PPPoX VPN issues, unless there is an intermediate link MTU that could also be causing your problem. you might also looking into using "transport" mode in place of "tunnel" mode (default) in your ipsec configs.</P><P></P><P>/karpenko/</P></BODY></HTML> Sun, 19 Feb 2006 07:17:35 GMT https://community.cisco.com/t5/network-security/pix-6-3-ipsec-tunnels-and-mss/m-p/488747#M1055416 jkarpenk 2006-02-19T07:17:35Z https://community.cisco.com/t5/network-security/pix-6-3-ipsec-tunnels-and-mss/m-p/488748#M1055420 <HTML><HEAD></HEAD><BODY><P>sysopt connection tcpmss <VALUE></VALUE></P><P></P><P>The default <VALUE> is 1380.</VALUE></P><P></P><P>Good luck - Scott</P></BODY></HTML> Thu, 02 Mar 2006 14:49:53 GMT https://community.cisco.com/t5/network-security/pix-6-3-ipsec-tunnels-and-mss/m-p/488748#M1055420 scottvivian 2006-03-02T14:49:53Z https://community.cisco.com/t5/network-security/pix-6-3-ipsec-tunnels-and-mss/m-p/488749#M1055423 <HTML><HEAD></HEAD><BODY><P>Hey thanks for helping us out.</P><P>Signed,</P><P></P><P>Goatboy</P></BODY></HTML> Sat, 11 Mar 2006 14:57:11 GMT https://community.cisco.com/t5/network-security/pix-6-3-ipsec-tunnels-and-mss/m-p/488749#M1055423 glenthms 2006-03-11T14:57:11Z https://community.cisco.com/t5/network-security/pix-6-3-ipsec-tunnels-and-mss/m-p/488750#M1055425 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>You can use sysopt connection tcpmss <BYTES> command.</BYTES></P><P></P><P>Please rate if you find this useful</P><P></P><P>-Rakesh </P><P></P><P></P></BODY></HTML> Fri, 17 Mar 2006 20:14:31 GMT https://community.cisco.com/t5/network-security/pix-6-3-ipsec-tunnels-and-mss/m-p/488750#M1055425 hegderakesh 2006-03-17T20:14:31Z