Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1362
Views
0
Helpful
1
Replies

ASA 5540 V7.1(2) MSS Exceeded and Pinhole Timeout

central_bank
Level 1
Level 1

‎11-03-2010 06:57 AM - edited ‎03-11-2019 12:04 PM

Hi,

On ASA firewall mentioned above I was getting "MSS Exceeded, MSS 1380,data 1381" error whenever data was sent from 10.5.1.36 (Behind HTTP_SERVERS interface) to 10.20.1.36 on interface HTTP_SERVERS

Following configuration is done n ASA to avoid this error

access-list TEST permit tcp   ho 10.5.1.36 ho 10.20.1.36

class-map HTTP_CLASS
match access-list TEST

tcp-map HTTP_TCP_MAP
exceed-mss allow


policy-map HTTP_POLICY_MAP
class HTTP_CLASS
set connection advanced-options HTTP_TCP_MAP


service-policy HTTP_POLICY_MAP interface HTTP_SERVERS

After applying this configuration, the MSS exceeded error is diappeared but the new PINHOLE TIMEOUT error is getting generated as shown below

302014: Teardown TCP connection 37774122 for HTTP_SERVERS:10.5.1.36/57189 to CBS:10.20.1.36/0 duration 0:02:01 bytes 0 Pinhole timeout

Labels:
0 Helpful
1 Reply 1

Maykol Rojas
Cisco Employee
Cisco Employee

‎11-03-2010 12:59 PM

Hello,

Is this valid traffic? I can see that the destination port on the log is 0, would you consider this a valid traffic?

Thanks!

Mike

Mike
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card