01-23-2022 08:13 AM
Dear experts,
I have tcp adjust-mss configured on an internet link with an ISP like following:
interface GigabitEthernet0/0/0
description internet WAN link
ip address x.x.x.x 255.255.255.252
ip tcp adjust-mss 1436
During DDOS attacks our firewall starts SYN challenge (acting as a proxy) and I see sniffing traffic over the WAN link that MSS is not adjusted accordingly from the router.
I suspect the current Cisco implementation does not change MSS because the syn-ack does not contain the MSS option.
Questions:
1) do you know if this is the correct behavior ? I do not find anything official (ASR1k IOS 16.3.7) on www.cisco.com... in case please share the URL
2) any suggestion if there is a way to set the MSS on ASR1k when not received in the syn-ack from the server...
The impact is that then the client do not reduce the segment and at the end the issue come once certificate is being exchanged in the TLS session...
Thanks in advance
Cheers
01-23-2022 09:02 AM
Hi
Which technology does your WAN is formed? Does it has any tunnel like GRE, DMWPN, SDWAN, etc?
For sure the Syn and Ack will not have TCP MSS. Syn and Ack are only a kind of "hello" in order to devices start talking. TCP MSS is expected to see on the header of TCP packet.
01-23-2022 10:10 AM
Hi
yes it is GRE for the anitDDOS provider.
As far as I know TCP MSS is negotiated at syn - ack, please see here:
https://learningnetwork.cisco.com/s/question/0D53i00000SnqXL/tcp-why-tcp-choose-lower-mss-
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide