MSS Exceed Error on ASA 5520 ver. 8.0.2

JJTontz · ‎09-21-2009

I am getting the MSS Exceeded errors in my syslog for a host on my inside network. I have found and attempted to implement the documented solution but to no avail. The error is reporting:

"Dropping TCP packet from inside: 10.0.0.1/3001 to outside: 10.209.209.209/1086, reason: MSS exceeded, MSS 1380, data 1400"

I have created the map & policy per the instructions found in another document:

# access-list (http-list)permit ip any any

# class-map (http)

# match access-list (http-list)

# tcp-map (tmap)
# exceed-mss allow

# policy-map (global_policy)
# class (http)
# set connection advanced-options (tmap)

# service-policy (global-policy)

(Here I get an "ERROR: % Incomplete command")

Is the access-list (http-list) supposed to be applied to an interface?

I am not really sure how this is suppose to resolve the issue and I am still getting the error in the syslog.

Any help would be greatly appreciated.

Mike Wise · ‎09-22-2009

Hi Jason,

This should help you:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00804c8b9f.shtml

Mike

JJTontz · ‎09-22-2009

Mike,

Thank You for the URL. I did look at this originally. The timing for your post was immaculate because I discovered and resolved the issue the minute I received your notification.

The above TCP map did resolve the issue. The client was continuing to broadcast the MSS packet in question (probably because it was a TCP packet without an ACK). After a reset to the client's net connection, the error stopped.

Thanks Again.

J.T.