Telnet session to FWSM module disconnects due to MTU size issues in Catalyst 6500 or 7600 series switches.
When the SSH connection is established and a command is entered, the connection dies.
The SSH session stays up if the size of the packets are less than a specified MTU. For example, if you issue the pager 5 command, which lets you choose the number of lines to display before the More prompt appears, it stays up without issue.
Anything between MTU size 1469 and 1472 times out. Anything less than MTU size 1468 works.
In order to ensure that the maximum TCP segment size does not exceed the value you set and that the maximum is not less than a specified size, use the sysopt connection tcpmss command in global configuration mode.
The default of 1380 bytes allows room for header information so that the total packet size does not exceed 1500 bytes, which is the default MTU for Ethernet. If you set the maximum size to be greater than 1380, packets can become fragmented, dependent upon the MTU size, which is 1500 by default.
sysopt connection tcpmss
To ensure that the maximum TCP segment size does not exceed the value you set and that the maximum is not less than a specified size, use the sysopt connection tcpmss command in global configuration mode. To restore the default setting, use the no form of this command.
sysopt connection tcpmss [ minimum ] bytes
no sysopt connection tcpmss [ minimum ] [ bytes ]
Sets the maximum TCP segment size in bytes, between 48 and any maximum number. The default value is 1380 bytes. You can disable this feature by setting bytes to 0.
For the minimum keyword, the bytes represent the smallest maximum value allowed.
Overrides the maximum segment size to be no less than bytes, between 48 and 65535 bytes. This feature is disabled by default (set to 0).
The default maximum value is 1380 bytes. The minimum feature is disabled by default (set to 0). Command Modes
The following table shows the modes in which you can enter the command:
Release Modification 7.0(1)
This command was introduced. Usage Guidelines
Both the host and the server can set the maximum segment size when they first establish a connection. If either maximum exceeds the value you set with the sysopt connection tcpmss command, then the ASA overrides the maximum and inserts the value you set. If either maximum is less than the value you set with the sysopt connection tcpmss minimum command, then the ASA overrides the maximum and inserts the “minimum” value you set (the minimum value is actually the smallest maximum allowed). For example, if you set a maximum size of 1200 bytes and a minimum size of 400 bytes, when a host requests a maximum size of 1300 bytes, then the ASA alters the packet to request 1200 bytes (the maximum). If another host requests a maximum value of 300 bytes, then the ASA alters the packet to request 400 bytes (the minimum).
The default of 1380 bytes allows room for header information so that the total packet size does not exceed 1500 bytes, which is the default MTU for Ethernet. See the following calculation:
1380 data + 20 TCP + 20 IP + 24 AH + 24 ESP_CIPHER + 12 ESP_AUTH + 20 IP = 1500 bytes
If the host or server does not request a maximum segment size, the ASA assumes that the RFC 793 default value of 536 bytes is in effect.
If you set the maximum size to be greater than 1380, packets might become fragmented, depending on the MTU size (which is 1500 by default). Large numbers of fragments can impact the performance of the ASA when it uses the Frag Guard feature. Setting the minimum size prevents the TCP server from sending many small TCP data packets to the client and impacting the performance of the server and the network. Note Although not advised for normal use of this feature, if you encounter the syslog IPFRAG messages 209001 and 209002, you can raise the bytes value. Examples
The following example sets the maximum size to 1200 and the minimum to 400:
ASA Modification of TCP MSS Option Causes Slight Performance Decrease
By default the ASA sets the TCP MSS option in the SYN packets to 1380. Therefore, TCP endpoints should not transmit a TCP segment larger than 1380 bytes. This value is lower than the often default value of 1460 bytes and represents a TCP performance drop of around six percent (6%). Performance might improve is you increase the maximum MSS setting on the ASA or disable the MSS adjustment. Before you modify the default command on the ASA, understand the risks involved with regard to potential fragmentation if the packet is further encapsulated in the path somewhere. For more information, refer to the sysopt connection tcpmss section of the Cisco ASA 5500 Series Command Reference.
Hi Cisco Community,I've successfully configured a back-to-back serial connection between a Cisco 4331 ISR with a NIM-2T module and a Cisco 2851 with a WIC-2T card.They were using CAB-SS-232FC DCE and CAB-SS-232MT DTE cables. I need to configure the s...
Hello,I'm currently reading the verified scalability guide of N9K-C9396PX and I see a maximum number of Underlay multicast groups for an VXLAN BGP EVPN topology: 128 I would appreciate if anybody could help me understand this limit better. My topolog...
for SD WAN licensing, what is the relationship of license Bandwidth, and the actual device throughput? is the Licensing bandwidth excluding the DIA service bandwidth? or do we need to calculate the DIA bandwidth also to the total licenses bandwidth r...
Hi all, I would like to ask, if I can set-up redundant ports on Cisco Firepower 1120 ? My scenario is : I would need to connect this device to 2 ISPs . And when one ISP (connected to 1 port) goes down, all traffic should be redirected to g...
Hello all.I have 2821 router with 2 ISP WAN connections with real IP addresses - main and backup. IOS 15.1(4)M12aWhen main ISP is active I can't ping backup ISP interface IP address or access router from Internet. When main ISP is down backup interface is...