cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
917
Views
0
Helpful
6
Replies

MSS-exceed

bob.bartlett
Level 1
Level 1

ASA 5510 with a switch in the DMZ that we are trying to access the web interface over https. the connection fails and logs the error syslogid419001 Dropping TCP packet from dmz:smswitch.internal/80 to outside:cox.home/50206, reason: MSS exceeded, MSS 1260, data 1430

the firewall is running 8.03

6 Replies 6

phil.davenport
Level 1
Level 1

Hi,

Your client tcp maximum segment size (MSS) is set to 1260 however the switch webserver is ignoring the MSS sent by the client and sending back data exceeding the TCP MSS. v7.0 onwards default behavior is to drop this packet to defend against buffer overrun. Below document should help you. If the webserver is running on a Cisco switch maybe worth raising a TAC case once you've looked through the doc.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00804c8b9f.shtml

whanson
Level 2
Level 2

this will fix your problem. It is set for outside interface, but you can alter for dmz

access-list mssexceed extend permit tcp any any

class-map mssexceed-map

match access-list mssexceed

policy-map mss-exceed-policy

class mssexceed-map

set connection advanced-options mss-map

tcp-map mss-map

exceed-mss allow

service-policy mss-exceed-policy interface outside

from my experience, applying it on the outside interface didn't take effect. I have to apply it in a global policy and still the tcp mss exceeds kept showing up. we had to reload the ASA for the global policy to take effect

from my experience, applying it on the outside interface didn't take effect. I have to apply it in a global policy and still the tcp mss exceeds kept showing up. we had to reload the ASA for the global policy to take effect

a reload is really necessary..? Anyone else done this?

In the past I have used:-

sysopt connection tcpmss xxxx

This was the ASA will alter the MSS on seeing the SYN and returning SYN ACK.

give it a go.

HTH

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: