01-25-2006 11:08 AM - edited 02-21-2020 12:40 AM
I have been looking to see if PIX 6.3 has the same capabilites as listed in the following link.
http://www.cisco.com/en/US/customer/tech/tk827/tk369/technologies_white_paper09186a00800d6979.shtml
Basically we deploy IPSec tunnels to various clients, on the routers we have found it is very effective to implment the following on our routers to account for the additional headers added by a tunnel...
interface Tunnel0
ip tcp adjust-mss 1370
This uses TCP to adjust the host MTU so I don't have worry about packets being fragmented to pass through the tunnel.
I was wondering if anyone know if there is an equilivant command on a PIX running 6.3 to do the same or if the perform this type of correction by defualt. I am only able to find this on the routers, nothing either way on the PIX.
Thanks!
Solved! Go to Solution.
02-18-2006 11:17 PM
you probably already found this, but to add my $0.02 to the table. the command is "sysopt connection tcpmss 1370", and the default MSS value for the PIX is 1380. i've only seen this useful in PPPoX VPN issues, unless there is an intermediate link MTU that could also be causing your problem. you might also looking into using "transport" mode in place of "tunnel" mode (default) in your ipsec configs.
/karpenko/
01-31-2006 09:37 AM
To my knowledge , FragGuard and virtual reassembly is a feature that provides IP fragment protection. This feature performs full reassembly of all ICMP error messages and virtual reassembly of the remaining IP fragments that are routed through the PIX Firewall. Virtual reassembly is currently enabled by default. This feature uses syslog to log any fragment overlapping and small fragment offset anomalies, especially those caused by a teardrop attack.
02-13-2006 12:37 PM
There is a sysopt command on the PIX that does this, its set to 1460 by default I think. Do `sh sysopt' all the options are listed there.
Andy
02-18-2006 11:17 PM
you probably already found this, but to add my $0.02 to the table. the command is "sysopt connection tcpmss 1370", and the default MSS value for the PIX is 1380. i've only seen this useful in PPPoX VPN issues, unless there is an intermediate link MTU that could also be causing your problem. you might also looking into using "transport" mode in place of "tunnel" mode (default) in your ipsec configs.
/karpenko/
03-11-2006 06:57 AM
Hey thanks for helping us out.
Signed,
Goatboy
03-02-2006 06:49 AM
sysopt connection tcpmss
The default
Good luck - Scott
03-17-2006 12:14 PM
Hi,
You can use sysopt connection tcpmss
Please rate if you find this useful
-Rakesh
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: