Telnet session to FWSM module disconnects due to MTU size issues in Catalyst 6500 or 7600 series switches.
When the SSH connection is established and a command is entered, the connection dies.
The SSH session stays up if the size of the packets are less than a specified MTU. For example, if you issue the pager 5 command, which lets you choose the number of lines to display before the More prompt appears, it stays up without issue.
Anything between MTU size 1469 and 1472 times out. Anything less than MTU size 1468 works.
In order to ensure that the maximum TCP segment size does not exceed the value you set and that the maximum is not less than a specified size, use the sysopt connection tcpmss command in global configuration mode.
The default of 1380 bytes allows room for header information so that the total packet size does not exceed 1500 bytes, which is the default MTU for Ethernet. If you set the maximum size to be greater than 1380, packets can become fragmented, dependent upon the MTU size, which is 1500 by default.
sysopt connection tcpmss
To ensure that the maximum TCP segment size does not exceed the value you set and that the maximum is not less than a specified size, use the sysopt connection tcpmss command in global configuration mode. To restore the default setting, use the no form of this command.
sysopt connection tcpmss [ minimum ] bytes
no sysopt connection tcpmss [ minimum ] [ bytes ]
Sets the maximum TCP segment size in bytes, between 48 and any maximum number. The default value is 1380 bytes. You can disable this feature by setting bytes to 0.
For the minimum keyword, the bytes represent the smallest maximum value allowed.
Overrides the maximum segment size to be no less than bytes, between 48 and 65535 bytes. This feature is disabled by default (set to 0).
The default maximum value is 1380 bytes. The minimum feature is disabled by default (set to 0). Command Modes
The following table shows the modes in which you can enter the command:
Release Modification 7.0(1)
This command was introduced. Usage Guidelines
Both the host and the server can set the maximum segment size when they first establish a connection. If either maximum exceeds the value you set with the sysopt connection tcpmss command, then the ASA overrides the maximum and inserts the value you set. If either maximum is less than the value you set with the sysopt connection tcpmss minimum command, then the ASA overrides the maximum and inserts the “minimum” value you set (the minimum value is actually the smallest maximum allowed). For example, if you set a maximum size of 1200 bytes and a minimum size of 400 bytes, when a host requests a maximum size of 1300 bytes, then the ASA alters the packet to request 1200 bytes (the maximum). If another host requests a maximum value of 300 bytes, then the ASA alters the packet to request 400 bytes (the minimum).
The default of 1380 bytes allows room for header information so that the total packet size does not exceed 1500 bytes, which is the default MTU for Ethernet. See the following calculation:
1380 data + 20 TCP + 20 IP + 24 AH + 24 ESP_CIPHER + 12 ESP_AUTH + 20 IP = 1500 bytes
If the host or server does not request a maximum segment size, the ASA assumes that the RFC 793 default value of 536 bytes is in effect.
If you set the maximum size to be greater than 1380, packets might become fragmented, depending on the MTU size (which is 1500 by default). Large numbers of fragments can impact the performance of the ASA when it uses the Frag Guard feature. Setting the minimum size prevents the TCP server from sending many small TCP data packets to the client and impacting the performance of the server and the network. Note Although not advised for normal use of this feature, if you encounter the syslog IPFRAG messages 209001 and 209002, you can raise the bytes value. Examples
The following example sets the maximum size to 1200 and the minimum to 400:
ASA Modification of TCP MSS Option Causes Slight Performance Decrease
By default the ASA sets the TCP MSS option in the SYN packets to 1380. Therefore, TCP endpoints should not transmit a TCP segment larger than 1380 bytes. This value is lower than the often default value of 1460 bytes and represents a TCP performance drop of around six percent (6%). Performance might improve is you increase the maximum MSS setting on the ASA or disable the MSS adjustment. Before you modify the default command on the ASA, understand the risks involved with regard to potential fragmentation if the packet is further encapsulated in the path somewhere. For more information, refer to the sysopt connection tcpmss section of the Cisco ASA 5500 Series Command Reference.
Trying to get my arms around the telemetry changes DNA Center makes on switches. In this case, it's the streaming telemetry features. At one installation running DNA Center 184.108.40.206 and Cat9300 16.12.4, DNAC deployed the following streaming subs...
Hello, Is any SDWAN Security material including the latest integration with Umbrella SIG? I have several doubts about how that integration really works with all the products involved like: CASB, ZTNA, AMP, cFW, Web GW, etc. ThanksAndres&nbs...
HiI have a C1000-16P-E-2G-L.. and have tried to upgrade to the most current iOS which currently is 15.2.7E4 Every time i try, the upgrade completes (using USB) and the web interface turns out like this. The header is garbled, obviously mis...
What circumstances would lead to DNAC not displaying a health score for a provisioned device. Cat9300 (17.3.3) has been discovered and assigned to a site. It is reachable, managed and otherwise healthy. But no score. Credentials ar...
Hey All! We have a Cisco 3560X switch running iOS version 15.2. IP services activated on it. When I go into Conf t and run "IP multicast-routing I get a command not found. I can run IP multicast-routing distributed. Is there a difference in these two...