i have asa 5540 and we are copy file from remote location to local server, we got Log on asa thats below
Dropping TCP packet from outside: dest_ip to DMZ:Ip , reasone : MSS exceeded, MSS 1380, DATA 1480
What is the reason of exceed ?
We are able to login sucessfully.
Thanks and Regards
Mitang R Prajapati.
You can please try the below :
Configure access-list to match the traffic and apply it in a policy map as follows :
pixfirewall(config)#access-list http-list2 permit tcp any any (or you can change the ACL to whatever traffic you want to allow the MSS for)pixfirewall(config)#class-map http-map1 pixfirewall(config-cmap)#match access-list http-list2 pixfirewall(config-cmap)#exit pixfirewall(config)#tcp-map mss-map pixfirewall(config-tcp-map)#exceed-mss allow pixfirewall(config-tcp-map)#exit pixfirewall(config)#policy-map http-map1 pixfirewall(config-pmap)#class http-map1 pixfirewall(config-pmap-c)#set connection advanced-options mss-map pixfirewall(config-pmap-c)#exit pixfirewall(config-pmap)#exit pixfirewall(config)#service-policy http-map1 interface outside
Do tell me how it goes.
thanks for support,
We are not allowed on ASA 5540 firewall to permit any any .
could you tell me what purpose of this configuration ?
You can change the access-list as :
pixfirewall(config)#access-list http-list2 permit tcp host
The following will help you understand the configuration : MSS exceeded :
To allow or drop packets whose data length exceeds the TCP maximum segment size set by the peer during a three-way handshake, use the exceed-mss command in tcp-map configuration mode.
Do tell me if you need any further help.
Just another option, you can leverage the sysopt connection tcpmss command to increase the maximum segment size on a global level if desired. Cisco sets the MSS for ASA down to 1380 largely because of it's role as a flexible appliance (ex. for VPN reasons). When I do deployments for non-VPN purposes, I always bump my MSS size up to allow for full 1500 MTU.