Solved: TCP MSS Question

ChristopherCraddock66504 · ‎04-07-2022

Dear Community,

I have some questions about the TCP MSS process, its kind of confusing.

-If an originating host sends a TCP SYN with an MSS of 1460, but the client responds with a SYN/ACK with an MSS of 1436, will both hosts use 1436 in both directions? or will the originating host use 1436 while the client uses 1460?

-If an originating host send a TCP/SYN with an MSS of 1436, but the responding client responds with a SYN/ACK of 1460, will the originating host use 1460 for its packets but the responding client use 1436 for its packets?

I guess what I am asking is: Is the MSS value in the SYN and SYN/ACK packets honored by the opposite end all the time if the values differ?

Thank you.

Harold Ritter · ‎04-07-2022

Hi @ChristopherCraddock66504 ,

> -If an originating host sends a TCP SYN with an MSS of 1460, but the client responds with a SYN/ACK with an MSS of 1436, will

> both hosts use 1436 in both directions? or will the originating host use 1436 while the client uses 1460?

Both hosts will use the lower value (1436).

> -If an originating host send a TCP/SYN with an MSS of 1436, but the responding client responds with a SYN/ACK of 1460, will

> the originating host use 1460 for its packets but the responding client use 1436 for its packets?

If the initiating host sends 1436, the receiving host will not send 1460, but rather 1436.

> I guess what I am asking is: Is the MSS value in the SYN and SYN/ACK packets honored by the opposite end all the time if the

> values differ?

MSS will be the same on both sides and it will be the lowest value.

Regards,

Regards,
Harold Ritter, CCIE #4168 (EI, SP)

View solution in original post

Harold Ritter · ‎04-07-2022

Hi @ChristopherCraddock66504 ,

> -If an originating host sends a TCP SYN with an MSS of 1460, but the client responds with a SYN/ACK with an MSS of 1436, will

> both hosts use 1436 in both directions? or will the originating host use 1436 while the client uses 1460?

Both hosts will use the lower value (1436).

> -If an originating host send a TCP/SYN with an MSS of 1436, but the responding client responds with a SYN/ACK of 1460, will

> the originating host use 1460 for its packets but the responding client use 1436 for its packets?

If the initiating host sends 1436, the receiving host will not send 1460, but rather 1436.

> I guess what I am asking is: Is the MSS value in the SYN and SYN/ACK packets honored by the opposite end all the time if the

> values differ?

MSS will be the same on both sides and it will be the lowest value.

Regards,

Regards,
Harold Ritter, CCIE #4168 (EI, SP)

Joseph W. Doherty · ‎04-07-2022

As @Harold Ritter (correctly) notes, both ends use the smallest value being used on either end.

Also wanted to add (although not asked), the

TCP adjust-mss #

if supported by platform, need only be defined once, on any interface, which TCP session startup will transit (as this command "spoofs" the exchange to using value in the command).

Further, end-host and/or TCP adjust-mss using a smaller MSS do not guarantee there cannot be any fragmentation, but often it will avoid it, in cases such a media supporting "standard" Ethernet frames and something like a GRE tunnel being used (I assume as your OP mentions a MSS of 1436, and as GRE has 24 bytes of overhead, you might be looking into that too).

ChristopherCraddock66504 · ‎04-08-2022

Harold and Jospeh,

Thanks so much for the replies! Indeed, I am asking this because of GRE. More specifically, because we are looking to use Cloudflare Magic Transit and I was not quite understanding their requirement to implement the

ip tcp adjust-mss

feature on our outbound internet interface. But you have cleared up my confusion!

Thanks again!

Joseph W. Doherty · ‎04-08-2022

If you're going to use a GRE tunnel, you'll only need to apply the

ip tcp adjust-mss

command there, however there are other commands, dealing with IP MTU and MTU discovery that are worth applying to the physical interface. See Resolve IPv4 Fragmentation, MTU, MSS, and PMTUD Issues with GRE and IPsec for more information.