cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1117
Views
0
Helpful
1
Replies
Beginner

ASA 5540 V7.1(2) MSS Exceeded and Pinhole Timeout

Hi,

On ASA firewall mentioned above I was getting "MSS Exceeded, MSS 1380,data 1381" error whenever data was sent from 10.5.1.36 (Behind HTTP_SERVERS interface) to 10.20.1.36 on interface HTTP_SERVERS

Following configuration is done n ASA to avoid this error

access-list TEST permit tcp   ho 10.5.1.36 ho 10.20.1.36

class-map HTTP_CLASS
match access-list TEST

tcp-map HTTP_TCP_MAP
exceed-mss allow


policy-map HTTP_POLICY_MAP
class HTTP_CLASS
set connection advanced-options HTTP_TCP_MAP


service-policy HTTP_POLICY_MAP interface HTTP_SERVERS

After applying this configuration, the MSS exceeded error is diappeared but the new PINHOLE TIMEOUT error is getting generated as shown below

302014: Teardown TCP connection 37774122 for HTTP_SERVERS:10.5.1.36/57189 to CBS:10.20.1.36/0 duration 0:02:01 bytes 0 Pinhole timeout

1 REPLY 1
Highlighted
Cisco Employee

Re: ASA 5540 V7.1(2) MSS Exceeded and Pinhole Timeout

Hello,

Is this valid traffic? I can see that the destination port on the log is 0, would you consider this a valid traffic?

Thanks!

Mike

Mike