ASA fragment fails

Josh Morris · ‎05-07-2013

I am running an ASA 5520 with 8.4(1).

I have had some Mac users complain of slow SMB transfers, so I've bene looking into MTU settings.

My default group policy sets the MTU to 1406. However, there is a tcpmss command on the ASA setting it to 1200 bytes. (

sysopt connection tcpmss 1200)

If I look at 'show fragment' I see a ton of failed reassemblys, which bothers me.

Interface: inside

Size: 200, Chain: 24, Timeout: 5, Reassembly: virtual

Queue: 0, Assembled: 1492, Fail: 1159641169920, Overflow: 0

Interface: outside

Size: 200, Chain: 24, Timeout: 5, Reassembly: virtual

Queue: 0, Assembled: 1317493, Fail: 234110077370368, Overflow: 0

So I'm wondering if the client is sending out a packet size of 1406 + overhead (so we'll say 1500), but the VPN is only allowing a packet size of 1200 bytes due to the mss setting. And this could be causing a ton of retransmissions, as well as fragmentation.

Could this be what is happening, and should I adjust the mss setting to something more like 1400?

Thanks.

Josh Morris · ‎05-21-2013

An update on this, I adjusted the tcpmss value to the default value of 1380. I initially was not seeing any fragment fails, but the number has grown very large again. Any ideas as to why I'm seeing these fragment fails?

ASA-1# show fragment

Interface: inside

Size: 200, Chain: 24, Timeout: 5, Reassembly: virtual

Queue: 0, Assembled: 1, Fail: 4294967296, Overflow: 0

Interface: outside

Size: 200, Chain: 24, Timeout: 5, Reassembly: virtual

Queue: 0, Assembled: 751, Fail: 528280977408, Overflow: 0

Interface: management

Size: 200, Chain: 24, Timeout: 5, Reassembly: virtual

Queue: 0, Assembled: 0, Fail: 0, Overflow: 0