topic Re: ASA + MSS issue in Network Security

ASA + MSS issue

michelcaissie — Mon, 11 Mar 2019 12:49:13 GMT

Hi all,

I have some MSS issue with a ASA running 7.2

Here is the scenario

The client is a web browser (IE 6 or 7 )

The server is Appache ( don't know the version)

protocol is HTTPS - 443

When the client and the server are on the same vlan i get the following

MSS values;

During Syn - MSS proposed is 1460

During Ack - Syn MSS proposed is 1460

During Push - SSL data is 1460 bytes as expected

Now if move the browser outside a ASA running 7.2 i get the following MSS values

During Syn - MSS proposed is 1460

During Ack - Syn MSS proposed is 1380

During Push - SSL data is 536 bytes (the default values)

For some reason the client and server refuse to apply the proposed values

and the packets stays at the default values of 536 bytes.

I don't log any errors ( mss-exceeded or stuff like that)

I tried the following command but it didn't change anything

-sysopt connection tcpmss minimum 1380-

Anyone knows what to do to get better packet size ?

thanks

Re: ASA + MSS issue

Farrukh Haroon — Wed, 28 May 2008 09:40:23 GMT

Please have a look at this link, it should help:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00804c8b9f.shtml

Please rate this post if you find it helpful

Regards

Farrukh

Re: ASA + MSS issue

michelcaissie — Wed, 28 May 2008 13:03:49 GMT

thanks for the link , but i was aware of it and the problem is not related to mss-exceeded.

The document says;

"A discovery has been made that there are a few HTTP servers on the Internet that do not honor the MSS that the client advertises".

It seems to be our case, but the server, instead of keeping a MSS of 1460 while the client is expecting 1380, it takes a MSS of 536. So we have the inverse of a mss-exceeded.

And 536 is the default MSS value before it gets changed after the MSS negociation. So for some reason the MSS proposals are dropped at the firewall , or the server refuse any proposal other than 1460.

Re: ASA + MSS issue

michelcaissie — Wed, 28 May 2008 17:04:34 GMT

Problem resolved;

Finally the problem was on the server . A misconfigured registry was disabling the Path MTU Discovery , forcing the packet size to 536

for all non-local destination IP addresses.

ref:

Windows 2000/XP

Note: The modification of the Windows NT TCP/IP parameters involves editing the registry. This should only be attempted by experienced system administrators because mistakes can render the system unbootable. After these registry changes are done, reboot to apply the changes.

Disable PMTUD:

PMTU discovery is enabled by default, but can be controlled with the addition of this value to the registry:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters

\EnablePMTUDiscovery

PMTU Discovery: 0 or 1 (Default = 1)

Data Type: DWORD

A "1" enables discovery while a "0" disables it. When PMTU discovery is disabled, a MTU of 576 bytes is used for all non-local destination IP addresses. The TCP MSS= 536.

When you set this parameter to 1 (True), it causes TCP to attempt to discover the Maximum Transmission Unit (MTU or largest packet size) over the path to a remote host. With the discovery of the Path MTU and the limitation of TCP segments to this size, TCP can eliminate fragmentation at routers along the path that connect networks with different MTUs. Fragmentation adversely affects TCP throughput and network congestion.

Re: ASA + MSS issue

Farrukh Haroon — Thu, 29 May 2008 06:20:06 GMT

I'm glad to know that your problem is resolved now. It was Uncle Bill again.

Regards

Farrukh