cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

Telnet session to FWSM module disconnects due to MTU size issues in 6500 or 7600 switches

2264
Views
0
Helpful
0
Comments

 

Introduction

Telnet session to FWSM module disconnects due to MTU size issues in Catalyst 6500 or 7600 series switches.

Core issue

When the SSH connection is established and a command is entered, the connection dies.

The SSH session stays up if the size of the packets are less than a specified MTU. For example, if you issue the pager 5 command, which lets you choose the number of lines to display before the More prompt appears, it stays up without issue.

Anything between MTU size 1469 and 1472 times out. Anything less than MTU size 1468 works.

Resolution

In order to ensure that the maximum TCP segment size does not exceed the value you set and that the maximum is not less than a specified size, use the sysopt connection tcpmss command in global configuration mode.

The default of 1380 bytes allows room for header information so that the total packet size does not exceed 1500 bytes, which is the default MTU for Ethernet. If you set the maximum size to be greater than 1380, packets can become fragmented, dependent upon the MTU size, which is 1500 by default.

Command Details

sysopt connection tcpmss

To ensure that the maximum TCP segment size does not exceed the value you set and that the maximum is not less than a specified size, use the sysopt connection tcpmss command in global configuration mode. To restore the default setting, use the no form of this command.

sysopt connection tcpmss [ minimum ] bytes

no sysopt connection tcpmss [ minimum ] [ bytes ]


Syntax Description

bytes

Sets the maximum TCP segment size in bytes, between 48 and any maximum number. The default value is 1380 bytes. You can disable this feature by setting bytes to 0.

For the minimum keyword, the bytes represent the smallest maximum value allowed.

minimum

Overrides the maximum segment size to be no less than bytes, between 48 and 65535 bytes. This feature is disabled by default (set to 0).

 

Defaults

The default maximum value is 1380 bytes. The minimum feature is disabled by default (set to 0).
Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

  • Yes
  • Yes
  • Yes
  • Yes

 

Command History

Release Modification 7.0(1)

This command was introduced. 
Usage Guidelines

Both the host and the server can set the maximum segment size when they first establish a connection. If either maximum exceeds the value you set with the sysopt connection tcpmss command, then the ASA overrides the maximum and inserts the value you set. If either maximum is less than the value you set with the sysopt connection tcpmss minimum command, then the ASA overrides the maximum and inserts the “minimum” value you set (the minimum value is actually the smallest maximum allowed). For example, if you set a maximum size of 1200 bytes and a minimum size of 400 bytes, when a host requests a maximum size of 1300 bytes, then the ASA alters the packet to request 1200 bytes (the maximum). If another host requests a maximum value of 300 bytes, then the ASA alters the packet to request 400 bytes (the minimum).

The default of 1380 bytes allows room for header information so that the total packet size does not exceed 1500 bytes, which is the default MTU for Ethernet. See the following calculation:

1380 data + 20 TCP + 20 IP + 24 AH + 24 ESP_CIPHER + 12 ESP_AUTH + 20 IP = 1500 bytes

If the host or server does not request a maximum segment size, the ASA assumes that the RFC 793 default value of 536 bytes is in effect.

If you set the maximum size to be greater than 1380, packets might become fragmented, depending on the MTU size (which is 1500 by default). Large numbers of fragments can impact the performance of the ASA when it uses the Frag Guard feature. Setting the minimum size prevents the TCP server from sending many small TCP data packets to the client and impacting the performance of the server and the network.
Note Although not advised for normal use of this feature, if you encounter the syslog IPFRAG messages 209001 and 209002, you can raise the bytes value.
Examples

The following example sets the maximum size to 1200 and the minimum to 400:

ciscoasa(config)# sysopt connection tcpmss 1200
ciscoasa(config)# sysopt connection tcpmss minimum 400

More Information

ASA Modification of TCP MSS Option Causes Slight Performance Decrease

By default the ASA sets the TCP MSS option in the SYN packets to 1380. Therefore, TCP endpoints should not transmit a TCP segment larger than 1380 bytes. This value is lower than the often default value of 1460 bytes and represents a TCP performance drop of around six percent (6%). Performance might improve is you increase the maximum MSS setting on the ASA or disable the MSS adjustment. Before you modify the default command on the ASA, understand the risks involved with regard to potential fragmentation if the packet is further encapsulated in the path somewhere.
For more information, refer to the sysopt connection tcpmss section of the Cisco ASA 5500 Series Command Reference.

Reference

ASA Throughput and Connection Speed Troubleshooting and Analyzing Packet Captures
Cisco ASA Series Command Reference, S Commands

CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards