TCP MSS not working

RobotAjay · ‎09-19-2024

Please refer the below topology,

Client >>> Cisco router >>> Firewall >>> Upstream device >>> server

I have set mtu as 200 in my upstream device and as exepected when client access the server(http) the packets are fragmented.
However when I set tcp-mss(in my case to 55)on my Firewall, I can see it is successfully shared(updated mss) on 3 way handshake, However I can still see client or server is sending MSS more than 55 which is causing fragmentation.

Is it expected?Kindly help

MHM Cisco World · ‎09-19-2024

what is Firewall you have is it asa?

MHM

RobotAjay · ‎09-21-2024

Hi, no I am using fortigate, even if I use a cisco router with the same settings it is not working

MHM Cisco World · ‎09-21-2024

Only think make tcp mss not work in both FW and router is you using some kind of RA VPN' so are you use RA VPN?

If you use RA VPN then FW and router not see the tcp handshake and hence can not modify the mss

MHM

RobotAjay · ‎09-21-2024

No, there is no VPN config, just static route

balaji.bandi · ‎09-19-2024

Generally i would not touch on firewall MTU and MSS (until we looking to uplift to jumbo frames)

if you are using as ASA firewall look some guide lines :

https://www.cisco.com/c/en/us/td/docs/security/asa/asa96/configuration/general/asa-96-general-config/interface-mtu.html#ID-2076-00000095

Make sure MTU match all over the path for better performance.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help