With pings of 1260 set for -f appearing to work, with no errors like "Packet needs  to be fragmented but DF set."  The mtu and mss settings should really be  close enough to that value.

set the following on the pix:

mtu inside 1260

Then your mss should be less and follow

sysopt connection tcpmss 1200

Actually, according to http://www.cisco.com/en/US/tech/tk870/tk877/tk880/technologies_tech_note09186a008011a218.shtml

should be an mss of around 1220, but just try lowering until you get what works.

Also continue monitoring your logs, as they give you further idea, as you have already indicated.

If lowering the value still does not take, I suggest saving the configuration and reloading the firewall. Ensuring that you have mtu of 1260 or lower, and mss accordingly showing up after the reboot.

Hopefully it help you  get the issue resolved.

Regards,

Unfortunately, you can not do MPF on version 6.3 pix code.

But if you are interested in upgrading to later version of the pix code, then definitely you can consider doing that instead.

Regards,

Hello All,

Finally we reached to resolution by applying MPF on outside interface of ASA.

Many thanks to every one, for posting valuables inputs to reach the resolution.

Now we are able to upload page successfully.

I still have following queries; will appreciate if you can answer the same.

Q1. This behavior is observed only on ASA IOS 7.0 but not in Version 8.0.  Understand that the 7.0 release introduces several new security enhancements, one of which is a check for TCP endpoints which adhere to the advertised Maximum Segment Size (MSS). So does this mean version 8.0 IOS doesn’t have this behavior..or the MPF is already coded in version 8.

Q2. If it is coded on version 8, then it must be placed with ACL for source any & destination any. So applying any – any is harmful

Q3. In MPF we have entered the command set connection advanced-options mss-map. What does it mean?

What is difference between sysopt connection tcpmss & MPF

Regards

Yogesh S