09-27-2010 12:46 AM - edited 03-11-2019 11:45 AM
Hello,
i have asa 5540 and we are copy file from remote location to local server, we got Log on asa thats below
Dropping TCP packet from outside: dest_ip to DMZ:Ip , reasone : MSS exceeded, MSS 1380, DATA 1480
What is the reason of exceed ?
We are able to login sucessfully.
Thanks and Regards
Mitang R Prajapati.
09-27-2010 04:22 AM
Hi Mitang,
You can please try the below :
Configure access-list to match the traffic and apply it in a policy map as follows :
pixfirewall(config)#access-list http-list2 permit tcp any any (or you can change the ACL to whatever traffic you want to allow the MSS for)
pixfirewall(config)#class-map http-map1
pixfirewall(config-cmap)#match access-list http-list2
pixfirewall(config-cmap)#exit
pixfirewall(config)#tcp-map mss-map
pixfirewall(config-tcp-map)#exceed-mss allow
pixfirewall(config-tcp-map)#exit
pixfirewall(config)#policy-map http-map1
pixfirewall(config-pmap)#class http-map1
pixfirewall(config-pmap-c)#set connection advanced-options mss-map
pixfirewall(config-pmap-c)#exit
pixfirewall(config-pmap)#exit
pixfirewall(config)#service-policy http-map1 interface outside
Do tell me how it goes.
Regards
Rahul
09-27-2010 08:21 PM
Hello rahul,
thanks for support,
We are not allowed on ASA 5540 firewall to permit any any .
could you tell me what purpose of this configuration ?
Regards
Mitang
09-28-2010 05:59 AM
Hi Mitang,
You can change the access-list as :
pixfirewall(config)#access-list http-list2 permit tcp host host .
The following will help you understand the configuration :
MSS exceeded :
To allow or drop packets whose data length exceeds the TCP maximum segment size set by the peer during a
three-way handshake, use the exceed-mss command in tcp-map configuration mode.
Do tell me if you need any further help.
Regards,
Rahul
09-29-2010 03:53 PM
Just another option, you can leverage the sysopt connection tcpmss command to increase the maximum segment size on a global level if desired. Cisco sets the MSS for ASA down to 1380 largely because of it's role as a flexible appliance (ex. for VPN reasons). When I do deployments for non-VPN purposes, I always bump my MSS size up to allow for full 1500 MTU.
Thanks,
Christopher
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide