Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1301
Views
8
Helpful
2
Replies

Dynamically adjust TCP MSS on ASA 5525-X

Brett Verney
Level 1
Level 1

‎02-05-2014 07:27 PM - edited ‎03-04-2019 10:16 PM

Hi all,

I am in the process of setting up a transparent proxy using WCCP between a Cisco ASA 5525-X and a Blue Coat ProxySG appliance. I plan to only redirect HTTP and HTTPS traffic to the proxy; all other Internet bound traffic should go direct.

The only supported WCCP redirection method on the ASA is via GRE encapsulation. My concern here is regarding the 28 bytes of overhead (GRE & WCCP) that is added to the packets when they are encapsulated and sent to the proxy. I figured the best way to avoid fragmentation/MTU issues etc. was to lower the Maximum Segment Size (MSS) by 28 bytes for TCP packets. I can do this via a gloal command on the ASA - 'sysopt connection tcpmss 1432' but this applies to ALL TCP traffic that traverses the firewall, not just the HTTP/HTTPS traffic that is being redirected.

Is there any way I can set the MSS only on HTTP/HTTPS traffic, and only sourced from my internal LAN subnets only? I thought I might be able to do this through a service-policy catching the traffic with a class-map, but I can't find any documentation as to whether it is possible or not.

Otherwise, will there be a noticable decrease in performance if I apply it globally and lower the MSS for ALL TCP traffic?

Thanks in advance,

Brett

Labels:
0 Helpful
2 Replies 2

Vasilii Mikhailovskii
Level 7
Level 7

‎02-06-2014 02:45 AM

Hello, Brett.

Per my understanding, ASA encapsulates into GRE only packets from client to server. ProxySG should be forwarding the traffic back directly to client. So, only client-2-server traffic could be subject to the issue you discribed.

Device is proxying TCP connection, so, I guess the best solution would be to adjust LAN (original) MSS/MTU value of ProxySG device!

Joseph W. Doherty
Hall of Fame
Hall of Fame

‎02-06-2014 02:49 AM

Disclaimer

The  Author of this posting offers the information contained within this  posting without consideration and with the reader's understanding that  there's no implied or expressed suitability or fitness for any purpose.  Information provided is for informational purposes only and should not  be construed as rendering professional advice of any kind. Usage of this  posting's information is solely at reader's own risk.

Liability Disclaimer

In  no event shall Author be liable for any damages whatsoever (including,  without limitation, damages for loss of use, data or profit) arising out  of the use or inability to use the posting's information even if Author  has been advised of the possibility of such damage.

Posting

Otherwise, will there be a noticable decrease in performance if I apply it globally and lower the MSS for ALL TCP traffic?

Not much.  You'll lower the best (TCP) transfer efficiency by somewhat less than 2%.

Customers Also Viewed These Support Documents