Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7511
Views
0
Helpful
1
Replies

MSS drops

andyjgoss
Level 1
Level 1

‎11-14-2008 08:29 AM - edited ‎03-11-2019 07:13 AM

We're experiencing strange behaviour whereby certain VPN users are being dropped when connecting from their home broadband which only affects people with D-Link home routers. We are using Checkpoint VPN-1 for the VPN concentration, which must first pass through a PIX-525 running v7.0(6) and the PIX is dropping the connecting with the error message 'MSS exceeded, MSS 1024, data 1360).

It looks like the default MSS for the device is 1024 so I've increased it to 1370 and the PIX allowed the connections through. Now I'm getting 'MSS exceeded, MSS 1370, data 1460' and the PIX is dropping connections again.

Given the fact that the maximum segment size for TCP proxy connection is already fixed at 1380 will it create a problem if I keep increasing the minimum value?

By the way, users' with Netgear / Belkin etc. home routers connect fine. Only affects users' with D-Link home routers.

Any ideas what the optimum maximum and minimum segment size should be set to?

Labels:
0 Helpful
1 Reply 1

joe19366
Level 1
Level 1

‎11-14-2008 08:37 AM

A best practice is to use the cisco vpn client's setmtu.exe utility to set the client computer's MTU to 1300

this will prevent these types of issues.

This is the standard policy for our clients to avoid support issues such as this.

-Joe

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card