Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1265
Views
10
Helpful
6
Replies

PIX 6.3 IPSec tunnels and MSS

Go to solution
pruhnke79
Level 1
Level 1

‎01-25-2006 11:08 AM - edited ‎02-21-2020 12:40 AM

I have been looking to see if PIX 6.3 has the same capabilites as listed in the following link.

http://www.cisco.com/en/US/customer/tech/tk827/tk369/technologies_white_paper09186a00800d6979.shtml

Basically we deploy IPSec tunnels to various clients, on the routers we have found it is very effective to implment the following on our routers to account for the additional headers added by a tunnel...

interface Tunnel0

ip tcp adjust-mss 1370

This uses TCP to adjust the host MTU so I don't have worry about packets being fragmented to pass through the tunnel.

I was wondering if anyone know if there is an equilivant command on a PIX running 6.3 to do the same or if the perform this type of correction by defualt. I am only able to find this on the routers, nothing either way on the PIX.

Thanks!

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jkarpenk
Cisco Employee
Cisco Employee

‎02-18-2006 11:17 PM

you probably already found this, but to add my $0.02 to the table. the command is "sysopt connection tcpmss 1370", and the default MSS value for the PIX is 1380. i've only seen this useful in PPPoX VPN issues, unless there is an intermediate link MTU that could also be causing your problem. you might also looking into using "transport" mode in place of "tunnel" mode (default) in your ipsec configs.

/karpenko/

View solution in original post

0 Helpful
6 Replies 6

Go to solution
mchin345
Level 6
Level 6

‎01-31-2006 09:37 AM

To my knowledge , FragGuard and virtual reassembly is a feature that provides IP fragment protection. This feature performs full reassembly of all ICMP error messages and virtual reassembly of the remaining IP fragments that are routed through the PIX Firewall. Virtual reassembly is currently enabled by default. This feature uses syslog to log any fragment overlapping and small fragment offset anomalies, especially those caused by a teardrop attack.

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a0080172790.html

0 Helpful

Go to solution
aacole
Level 5
Level 5
In response to mchin345

‎02-13-2006 12:37 PM

There is a sysopt command on the PIX that does this, its set to 1460 by default I think. Do `sh sysopt' all the options are listed there.

Andy

0 Helpful

Go to solution
jkarpenk
Cisco Employee
Cisco Employee

‎02-18-2006 11:17 PM

you probably already found this, but to add my $0.02 to the table. the command is "sysopt connection tcpmss 1370", and the default MSS value for the PIX is 1380. i've only seen this useful in PPPoX VPN issues, unless there is an intermediate link MTU that could also be causing your problem. you might also looking into using "transport" mode in place of "tunnel" mode (default) in your ipsec configs.

/karpenko/

0 Helpful

Go to solution
glenthms
Level 1
Level 1
In response to jkarpenk

‎03-11-2006 06:57 AM

Hey thanks for helping us out.

Signed,

Goatboy

0 Helpful

Go to solution
scottvivian
Level 1
Level 1

‎03-02-2006 06:49 AM

sysopt connection tcpmss

The default is 1380.

Good luck - Scott

Go to solution
hegderakesh
Level 1
Level 1

‎03-17-2006 12:14 PM

Hi,

You can use sysopt connection tcpmss command.

Please rate if you find this useful

-Rakesh

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card