https://community.cisco.com/t5/network-security/mss-exceeded/m-p/1538355#M636155 <HTML><HEAD></HEAD><BODY><P>Hi Mitang,</P><P></P><P>You can change the access-list as :</P><P></P><PRE><SPAN style="font-family: arial, helvetica, sans-serif; ">pixfirewall(config)#access-list http-list2 permit tcp host <REMOTE location="" ip=""> <PORT> host <SERVER ip=""> <PORT>.</PORT></SERVER></PORT></REMOTE></SPAN></PRE><PRE><SPAN style="font-family: arial, helvetica, sans-serif; "><BR /></SPAN></PRE><PRE><SPAN style="font-family: arial, helvetica, sans-serif;">The following will help you understand the configuration : </SPAN> <STRONG>MSS exceeded :</STRONG></PRE><PRE><SPAN style="font-family: arial, helvetica, sans-serif; ">To allow or drop packets whose data length exceeds the TCP maximum segment size set by the peer during a three-way handshake, use the exceed-mss command in tcp-map configuration mode. </SPAN><STRONG> </STRONG></PRE><DIV> </DIV><DIV><STRONG>set connection advanced-options :</STRONG></DIV><DIV><DIV><SPAN>To specify advanced TCP connection options within a policy-map for a traffic class, </SPAN></DIV><DIV><SPAN>use the set connection advanced-options command in class mode. </SPAN></DIV><DIV><SPAN>To remove advanced TCP connection options for a traffic class within a policy map, use the no form of this command.</SPAN></DIV><DIV><SPAN>set connection advanced-options tcp-mapname no set connection advanced-options tcp-mapname</SPAN></DIV></DIV><PRE></PRE><P></P><P>Do tell me if you need any further help.</P><P></P><P>Regards,</P><P>Rahul</P></BODY></HTML> Tue, 28 Sep 2010 12:59:15 GMT rmavila 2010-09-28T12:59:15Z https://community.cisco.com/t5/network-security/mss-exceeded/m-p/1538352#M636064 <P>&nbsp;&nbsp; Hello,</P><P></P><P>i have asa 5540 and we are copy file from remote location to local server, we got Log on asa thats below</P><P></P><P>Dropping TCP packet from outside: dest_ip to DMZ:Ip , reasone : MSS exceeded, MSS 1380, DATA 1480</P><P></P><P>What is the reason of exceed ?</P><P></P><P>We are able to login sucessfully.</P><P></P><P>Thanks and Regards</P><P></P><P>Mitang R Prajapati.</P> Mon, 11 Mar 2019 18:45:35 GMT https://community.cisco.com/t5/network-security/mss-exceeded/m-p/1538352#M636064 mitang.prajapati 2019-03-11T18:45:35Z https://community.cisco.com/t5/network-security/mss-exceeded/m-p/1538353#M636084 <HTML><HEAD></HEAD><BODY><P>Hi Mitang,</P><P></P><P>You can please try the below :</P><P></P><P><SPAN style="white-space: pre;">Configure access-list to match the traffic and apply it in a policy map as follows :</SPAN></P><P><PRE><SPAN style="font-family: arial, helvetica, sans-serif;"> pixfirewall(config)#access-list http-list2 permit tcp any any (or you can change the ACL to whatever traffic you want to allow the MSS for) </SPAN><PRE><SPAN style="font-family: arial, helvetica, sans-serif;">pixfirewall(config)#class-map http-map1 pixfirewall(config-cmap)#match access-list http-list2 pixfirewall(config-cmap)#exit pixfirewall(config)#tcp-map mss-map pixfirewall(config-tcp-map)#exceed-mss allow pixfirewall(config-tcp-map)#exit pixfirewall(config)#policy-map http-map1 pixfirewall(config-pmap)#class http-map1 pixfirewall(config-pmap-c)#set connection advanced-options mss-map pixfirewall(config-pmap-c)#exit pixfirewall(config-pmap)#exit pixfirewall(config)#service-policy http-map1 interface outside</SPAN></PRE> </PRE></P><P></P><P>Do tell me how it goes.</P><P></P><P>Regards</P><P>Rahul</P></BODY></HTML> Mon, 27 Sep 2010 11:22:09 GMT https://community.cisco.com/t5/network-security/mss-exceeded/m-p/1538353#M636084 rmavila 2010-09-27T11:22:09Z https://community.cisco.com/t5/network-security/mss-exceeded/m-p/1538354#M636127 <HTML><HEAD></HEAD><BODY><P>Hello rahul,</P><P></P><P>thanks for support,</P><P></P><P>We are not allowed on ASA 5540 firewall to permit any any .</P><P></P><P>could you tell me what purpose of this configuration ?</P><P></P><P>Regards</P><P>Mitang </P></BODY></HTML> Tue, 28 Sep 2010 03:21:18 GMT https://community.cisco.com/t5/network-security/mss-exceeded/m-p/1538354#M636127 mitang.prajapati 2010-09-28T03:21:18Z https://community.cisco.com/t5/network-security/mss-exceeded/m-p/1538355#M636155 <HTML><HEAD></HEAD><BODY><P>Hi Mitang,</P><P></P><P>You can change the access-list as :</P><P></P><PRE><SPAN style="font-family: arial, helvetica, sans-serif; ">pixfirewall(config)#access-list http-list2 permit tcp host <REMOTE location="" ip=""> <PORT> host <SERVER ip=""> <PORT>.</PORT></SERVER></PORT></REMOTE></SPAN></PRE><PRE><SPAN style="font-family: arial, helvetica, sans-serif; "><BR /></SPAN></PRE><PRE><SPAN style="font-family: arial, helvetica, sans-serif;">The following will help you understand the configuration : </SPAN> <STRONG>MSS exceeded :</STRONG></PRE><PRE><SPAN style="font-family: arial, helvetica, sans-serif; ">To allow or drop packets whose data length exceeds the TCP maximum segment size set by the peer during a three-way handshake, use the exceed-mss command in tcp-map configuration mode. </SPAN><STRONG> </STRONG></PRE><DIV> </DIV><DIV><STRONG>set connection advanced-options :</STRONG></DIV><DIV><DIV><SPAN>To specify advanced TCP connection options within a policy-map for a traffic class, </SPAN></DIV><DIV><SPAN>use the set connection advanced-options command in class mode. </SPAN></DIV><DIV><SPAN>To remove advanced TCP connection options for a traffic class within a policy map, use the no form of this command.</SPAN></DIV><DIV><SPAN>set connection advanced-options tcp-mapname no set connection advanced-options tcp-mapname</SPAN></DIV></DIV><PRE></PRE><P></P><P>Do tell me if you need any further help.</P><P></P><P>Regards,</P><P>Rahul</P></BODY></HTML> Tue, 28 Sep 2010 12:59:15 GMT https://community.cisco.com/t5/network-security/mss-exceeded/m-p/1538355#M636155 rmavila 2010-09-28T12:59:15Z https://community.cisco.com/t5/network-security/mss-exceeded/m-p/1538356#M636186 <HTML><HEAD></HEAD><BODY><P>Just&nbsp; another option, you can leverage the <STRONG class="cCN_CmdName"><EM>sysopt connection tcpmss</EM></STRONG><STRONG class="cCN_CmdName"> </STRONG><SPAN class="cCN_CmdName">command to increase the maximum segment size on a global level if desired.&nbsp; Cisco sets the MSS for ASA down to 1380 largely because of it's role as a flexible appliance (ex. for VPN reasons).&nbsp; When I do deployments for non-VPN purposes, I always bump my MSS size up to allow for full 1500 MTU.</SPAN></P><P></P><P>Thanks,</P><P>Christopher</P></BODY></HTML> Wed, 29 Sep 2010 22:53:35 GMT https://community.cisco.com/t5/network-security/mss-exceeded/m-p/1538356#M636186 Christopher.Hayre 2010-09-29T22:53:35Z