Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
662
Views
0
Helpful
2
Replies

TCP MSS CLAMPING issue

james_72
Level 1
Level 1

‎01-23-2022 08:13 AM

Dear experts,

 

I have tcp adjust-mss configured on an internet link with an ISP like following:

 

interface GigabitEthernet0/0/0
 description internet WAN link
 ip address x.x.x.x 255.255.255.252
 ip tcp adjust-mss 1436


During DDOS attacks our firewall starts SYN challenge (acting as a proxy) and I see sniffing traffic over the WAN link that MSS is not adjusted accordingly from the router.
I suspect the current Cisco implementation does not change MSS because the syn-ack does not contain the MSS option.
Questions:

 

1) do you know if this is the correct behavior ? I do not find anything official (ASR1k IOS 16.3.7) on www.cisco.com... in case please share the URL

 

2) any suggestion if there is a way to set the MSS on ASR1k when not received in the syn-ack from the server...

 

The impact is that then the client do not reduce the segment and at the end the issue come once certificate is being exchanged in the TLS session... 

 

Thanks in advance

 

Cheers

Labels:
0 Helpful
2 Replies 2

Flavio Miranda
VIP
VIP

‎01-23-2022 09:02 AM

Hi

  Which technology does your WAN is formed? Does it has any tunnel like GRE, DMWPN, SDWAN, etc?
For sure the Syn and Ack will not have TCP MSS. Syn and Ack are only a kind of "hello" in order to devices start talking. TCP MSS is expected to see on the header of TCP packet.

 

https://xvirt.ink/2018/02/21/tcp-syn-packet/ 

0 Helpful

james_72
Level 1
Level 1
In response to Flavio Miranda

‎01-23-2022 10:10 AM

Hi

yes it is GRE for the anitDDOS provider.

As far as I know TCP MSS is negotiated at syn - ack, please see here:

 

https://learningnetwork.cisco.com/s/question/0D53i00000SnqXL/tcp-why-tcp-choose-lower-mss-

 

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card