12-28-2007 07:08 PM - edited 03-09-2019 07:44 PM
ASA 5510 with a switch in the DMZ that we are trying to access the web interface over https. the connection fails and logs the error syslogid419001 Dropping TCP packet from dmz:smswitch.internal/80 to outside:cox.home/50206, reason: MSS exceeded, MSS 1260, data 1430
the firewall is running 8.03
12-31-2007 03:54 PM
Hi,
Your client tcp maximum segment size (MSS) is set to 1260 however the switch webserver is ignoring the MSS sent by the client and sending back data exceeding the TCP MSS. v7.0 onwards default behavior is to drop this packet to defend against buffer overrun. Below document should help you. If the webserver is running on a Cisco switch maybe worth raising a TAC case once you've looked through the doc.
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00804c8b9f.shtml
01-09-2008 04:02 PM
this will fix your problem. It is set for outside interface, but you can alter for dmz
access-list mssexceed extend permit tcp any any
class-map mssexceed-map
match access-list mssexceed
policy-map mss-exceed-policy
class mssexceed-map
set connection advanced-options mss-map
tcp-map mss-map
exceed-mss allow
service-policy mss-exceed-policy interface outside
04-17-2008 01:58 PM
from my experience, applying it on the outside interface didn't take effect. I have to apply it in a global policy and still the tcp mss exceeds kept showing up. we had to reload the ASA for the global policy to take effect
04-17-2008 01:59 PM
from my experience, applying it on the outside interface didn't take effect. I have to apply it in a global policy and still the tcp mss exceeds kept showing up. we had to reload the ASA for the global policy to take effect
05-19-2008 02:20 PM
a reload is really necessary..? Anyone else done this?
05-21-2008 10:55 PM
In the past I have used:-
sysopt connection tcpmss xxxx
This was the ASA will alter the MSS on seeing the SYN and returning SYN ACK.
give it a go.
HTH
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide