https://community.cisco.com/t5/network-security/vpn-traffic-problem/m-p/924677#M959589 <P>Hello,</P><P></P><P>i've got a strange Problem. I can establish a Tunnel between an PIX 515e (8.0.3) and an ASA Device 5510 7.0.6 Ping works, HTTP for example throws MSS Exceed on the ASA. PIX and ASA configured to allow mss-exceed via service Policy. The Data Size is always about 1443 Bytes. The sysopt tcpmss value is set t o1380 which should be enough for payload and IPSEC Header. The error Message says MSS Exceed MSS 1260 Data bytes 1443 ... ??? What the Hell can i do the reduce the payload. Changing the MTU size doesn't help.</P><P>I discover that the Problem arrives if i do an upgrade to ASA/PIXOS later than 7.0.6 because i have a second l2l tunnel to an Checkpoint device and if i upgrade the asa, this tunnel doesn't wokr for large Packets..</P><P></P><P>Any help is need...</P><P></P><P>greetings markus</P> Mon, 11 Mar 2019 11:37:43 GMT helfrich 2019-03-11T11:37:43Z https://community.cisco.com/t5/network-security/vpn-traffic-problem/m-p/924677#M959589 <P>Hello,</P><P></P><P>i've got a strange Problem. I can establish a Tunnel between an PIX 515e (8.0.3) and an ASA Device 5510 7.0.6 Ping works, HTTP for example throws MSS Exceed on the ASA. PIX and ASA configured to allow mss-exceed via service Policy. The Data Size is always about 1443 Bytes. The sysopt tcpmss value is set t o1380 which should be enough for payload and IPSEC Header. The error Message says MSS Exceed MSS 1260 Data bytes 1443 ... ??? What the Hell can i do the reduce the payload. Changing the MTU size doesn't help.</P><P>I discover that the Problem arrives if i do an upgrade to ASA/PIXOS later than 7.0.6 because i have a second l2l tunnel to an Checkpoint device and if i upgrade the asa, this tunnel doesn't wokr for large Packets..</P><P></P><P>Any help is need...</P><P></P><P>greetings markus</P> Mon, 11 Mar 2019 11:37:43 GMT https://community.cisco.com/t5/network-security/vpn-traffic-problem/m-p/924677#M959589 helfrich 2019-03-11T11:37:43Z https://community.cisco.com/t5/network-security/vpn-traffic-problem/m-p/924678#M959590 <HTML><HEAD></HEAD><BODY><P>Check the config for allowing mss-exceed. Following is an example config:</P><P></P><P>access-list http-list permit ip any any</P><P>!</P><P>class-map http match </P><P> access-list http-list </P><P> exit</P><P>!</P><P>tcp-map tmap</P><P> exceed-mss allow</P><P> exit</P><P>!</P><P>policy-map global_policy</P><P> class http</P><P> set connection advanced-options tmap </P><P>!</P><P>service-policy global_policy global</P><P></P><P>Also check for the traffic that is being denied and check if you have configured this for the right traffic.</P></BODY></HTML> Mon, 10 Dec 2007 15:08:40 GMT https://community.cisco.com/t5/network-security/vpn-traffic-problem/m-p/924678#M959590 didyap 2007-12-10T15:08:40Z