Re: How to handle"MSS exceeded" error message

saidfrh · ‎09-10-2008

The ASA firewall's syslog messg indicates that the Public IP of the email server xx.xx.xx.ww/443 dropped TCP packets to the ASA public IP xx.xx.xx.yy/34018 due to MSS exceeded.

Is there a security or performance issue to allow all packets that exceed the MSS?

09-09-2008 09:34:37 Local4.Warning 192.168.xx.xx Sep 09 2008 09:43:12: %ASA-4-419001: Dropping TCP packet from outside:xx.xx.xx.ww/443 to Inside:xx.xx.xx.yy/34018, reason: MSS exceeded, MSS 1260, data 1460

Thanks.

suschoud · ‎09-10-2008

Hi,

Here are the commands :

ASA-5510-8x(config)# access-list http-list2 permit ip any any

ASA-5510-8x(config)# class-map http-map1

ASA-5510-8x(config-cmap)# match access-list http-list2

ASA-5510-8x(config-cmap)# exit

ASA-5510-8x(config)# tcp-map mss-map

ASA-5510-8x(config-tcp-map)# exceed-mss allow

ASA-5510-8x(config-tcp-map)# exit

ASA-5510-8x(config)# policy-map global_policy

ASA-5510-8x(config-pmap)# class http-map1

ASA-5510-8x(config-pmap-c)# set connection advanced-options mss-map

ASA-5510-8x(config-pmap-c)# exit

ASA-5510-8x(config-pmap)# exit

Do rate helpful posts.

Regards,

Sushil

saidfrh · ‎09-10-2008

Sushil,

In the 3-way TCP handshake, the length of the TCP packet is negotiated. When the packets are routed the length of the TCP packets exceed the negotiated length. Is the above normal?

Is there a security issue allowing all IP packets with differenet lengths to enter the firewall?

suschoud · ‎09-10-2008

the default mss ( meximum segment size ) of 1380 is good enough for most of the ethernet networks.however,if a segment comes with a size of mode then 1380,firewall drops it.segments of size of more then 1380 is normal ,depending on what media is used for communication.Allowing such packets do not introduce any security risks....it's an add on security feature of asa which let you know that some packets are not following the default rfc standards.....i have never seen any issues when such packets are allowed through f/w ( believe me,in TAC,we see this every next day . :)

Please rate if helpful

Regards,

Sushil

saidfrh · ‎09-10-2008

Sushil,

This is a production firewall. Would copying and pasting your configuration effect the network?

suschoud · ‎09-10-2008

Coulld you paste the show commands below :

sh run policy-map

sh run class-map

sh run service-policy

Accordingly,I would let you know.

Regards,

Sushil

saidfrh · ‎09-10-2008

policy-map type inspect dns migrated_dns_map_1

parameters

message-length maximum 1500

policy-map global_policy

class inspection_default

inspect dns migrated_dns_map_1

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect icmp error

class ips-class

ips inline fail-open

policy-map ips-pol

class ips-class

ips inline fail-open

class-map ips-class

match access-list ips

class-map inspection_default

match default-inspection-traffic

!

service-policy global_policy global

suschoud · ‎09-10-2008

Perfect,

Go ahead and add the commands with NO WORRIES.

Please rate if helpful. :)

Regards,

Sushil

cnj_bucks · ‎01-20-2010

We are having a similar issue. We have an ASA5505 and on this network we have a scanner/copier that does scan to email. We are noticing that when the copier/scanner attempts to contact an email server that resides on the other side of the tunnel, we are getting the 419001 error messages.

Will the code you posted work for this? The destination port for this traffic is 25.