hi everybody. I have some problem with pix firewall with soft 7.0(4). some client behind pix cannot connect his central office with his vpn client not only cisco vpn client some other vpn client too and exchange server cannot receive big files

in log pix write this error :

event 419001 pix 7.0(4) MSS exceeded

I fond how to resolve it in cisco site like this:

Explanation This message is generated when the length of the TCP packet exceeds the MSS

advertised in the 3-way handshake.

src_ifc?Input interface name

src_IP?The source IP address of the packet

src_port?The source port of the packet

dest_ifc?The output interface name

dest_IP?The destination IP address of the packet

dest_port?The destination port of the packet

Recommended Action If there is a need to allow packets that exceed the MSS, create a TCP map using

the exceed-mss command, as in the following example:

access-list http-list permit tcp any host server_ip eq 80 class-map http match

access-list http-list tcp-map tmap

exceed-mss allow

policy-map global_policy

class http

set connection advanced-options tmap service-policy global_policy global

but it can't resolve my problem with exchenge but it urgently need to resolve it because exchange not work good if change pix with linux firewall exchange work good How can resolve this problem ?

and how can do that all vpn client behind pix can connect it vpn server which changes do in pix firewall

my pix config:

spfg# sh run

: Saved

:

PIX Version 7.0(4)

!

hostname spfg

domain-name simple.com

enable password xxx

names

!

interface Ethernet0

nameif outside

security-level 0

ip address x.x.x.x x.x.x.x

!

interface Ethernet1

nameif inside

security-level 100

ip address 192.168.10.254 255.255.255.0

!

interface Ethernet2

shutdown

no nameif

no security-level

no ip address

!

passwd lpW.MGeEHg0ISQZq encrypted

ftp mode passive

access-list outside extended permit tcp any host x.x.x.x eq smtp

access-list outside extended permit tcp any host x.x.x.x eq pop3

access-list outside extended permit tcp any host x.x.x.x eq www

access-list outside extended permit tcp any host x.x.x.x eq ssh

access-list outside extended deny ip any any log

!

tcp-map tmap

exceed-mss allow

no ttl-evasion-protection

!

pager lines 24

logging enable

logging trap informational

logging asdm warnings

logging mail informational

mtu outside 1500

mtu inside 1500

ERROR: Command requires failover license

ERROR: Command requires failover license

asdm image flash:/asdm

asdm history enable

arp timeout 14400

nat-control

global (outside) 1 interface

nat (inside) 1 192.168.10.0 255.255.255.0

static (inside,outside) 85.132.22.42 192.168.10.1 netmask 255.255.255.255

access-group outside in interface outside

route outside 0.0.0.0 0.0.0.0 x.x.x.x 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 192.168.10.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 outside

ssh 192.168.10.0 255.255.255.0 inside

ssh timeout 30

console timeout 0

!

class-map smtp

match access-list outside

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_smtp

class smtp

set connection advanced-options tmap

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect esmtp

!

service-policy global_policy global

Cryptochecksum:xxx

: end

spfg#