Telnet session to FWSM module disconnects due to MTU size issues in Catalyst 6500 or 7600 series switches.
When the SSH connection is established and a command is entered, the connection dies.
The SSH session stays up if the size of the packets are less than a specified MTU. For example, if you issue the pager 5 command, which lets you choose the number of lines to display before the More prompt appears, it stays up without issue.
Anything between MTU size 1469 and 1472 times out. Anything less than MTU size 1468 works.
In order to ensure that the maximum TCP segment size does not exceed the value you set and that the maximum is not less than a specified size, use the sysopt connection tcpmss command in global configuration mode.
The default of 1380 bytes allows room for header information so that the total packet size does not exceed 1500 bytes, which is the default MTU for Ethernet. If you set the maximum size to be greater than 1380, packets can become fragmented, dependent upon the MTU size, which is 1500 by default.
sysopt connection tcpmss
To ensure that the maximum TCP segment size does not exceed the value you set and that the maximum is not less than a specified size, use the sysopt connection tcpmss command in global configuration mode. To restore the default setting, use the no form of this command.
sysopt connection tcpmss [ minimum ] bytes
no sysopt connection tcpmss [ minimum ] [ bytes ]
Sets the maximum TCP segment size in bytes, between 48 and any maximum number. The default value is 1380 bytes. You can disable this feature by setting bytes to 0.
For the minimum keyword, the bytes represent the smallest maximum value allowed.
Overrides the maximum segment size to be no less than bytes, between 48 and 65535 bytes. This feature is disabled by default (set to 0).
The default maximum value is 1380 bytes. The minimum feature is disabled by default (set to 0). Command Modes
The following table shows the modes in which you can enter the command:
Release Modification 7.0(1)
This command was introduced. Usage Guidelines
Both the host and the server can set the maximum segment size when they first establish a connection. If either maximum exceeds the value you set with the sysopt connection tcpmss command, then the ASA overrides the maximum and inserts the value you set. If either maximum is less than the value you set with the sysopt connection tcpmss minimum command, then the ASA overrides the maximum and inserts the “minimum” value you set (the minimum value is actually the smallest maximum allowed). For example, if you set a maximum size of 1200 bytes and a minimum size of 400 bytes, when a host requests a maximum size of 1300 bytes, then the ASA alters the packet to request 1200 bytes (the maximum). If another host requests a maximum value of 300 bytes, then the ASA alters the packet to request 400 bytes (the minimum).
The default of 1380 bytes allows room for header information so that the total packet size does not exceed 1500 bytes, which is the default MTU for Ethernet. See the following calculation:
1380 data + 20 TCP + 20 IP + 24 AH + 24 ESP_CIPHER + 12 ESP_AUTH + 20 IP = 1500 bytes
If the host or server does not request a maximum segment size, the ASA assumes that the RFC 793 default value of 536 bytes is in effect.
If you set the maximum size to be greater than 1380, packets might become fragmented, depending on the MTU size (which is 1500 by default). Large numbers of fragments can impact the performance of the ASA when it uses the Frag Guard feature. Setting the minimum size prevents the TCP server from sending many small TCP data packets to the client and impacting the performance of the server and the network. Note Although not advised for normal use of this feature, if you encounter the syslog IPFRAG messages 209001 and 209002, you can raise the bytes value. Examples
The following example sets the maximum size to 1200 and the minimum to 400:
ASA Modification of TCP MSS Option Causes Slight Performance Decrease
By default the ASA sets the TCP MSS option in the SYN packets to 1380. Therefore, TCP endpoints should not transmit a TCP segment larger than 1380 bytes. This value is lower than the often default value of 1460 bytes and represents a TCP performance drop of around six percent (6%). Performance might improve is you increase the maximum MSS setting on the ASA or disable the MSS adjustment. Before you modify the default command on the ASA, understand the risks involved with regard to potential fragmentation if the packet is further encapsulated in the path somewhere. For more information, refer to the sysopt connection tcpmss section of the Cisco ASA 5500 Series Command Reference.
From the topology it shows that point to point connection between the local site CE router and the PE router. The setup is that the "ip helper x.x.x.x" is placed on the core switch SVI, then it is forwarded to the CE, PE, and MPLS network. simple setup wi...
I have a 4500x at the core. My dhcp server is connected here and then I have client 2960x switches. I am seeing "bad address" in a few scopes in my DHCP server. Snooping is on and I am wondering does "trust need to be setup end to end?&n...
We replaced our Cisco 6500 devices with Cisco 9606 devices last fall. Since that time, we have seen increasing MPLS label_stack_id counts to the point where it reached the maximum value of ~65000 and it was impacting service to users. The message rec...
we want to integrate SDA Fabric DNAC with FortiAuthenticator for single Wireless SSID authentication with multiple dynamic VLAN assignment based on AD user groups.
single SSID = if user belongs to CORP then assign vlan 10 but if user bel...
I am designing a campus LAN infrastructure based on Cisco SD-Access solution.
My end-customer campus consists of 6 buildings. In the current network, there is a couple of distribution switches in each building connected, with two fiber-optic links,...