Help with log output ,regarding MSS

Unanswered Question
Mar 15th, 2007

ok so I know that the ASA is dropping packets beacuse of an TCP MSS mismatch.

and I know how to tune the ASA not to do it.

but my question is based on this log, what device is setting the MSS at 1380, beacuse as far as I can see everything is set at MTU1500

%ASA-4-419001: Dropping TCP packet from Outside: to DMZ2:Host_A/25, reason: MSS exceeded, MSS 1380, data 1400

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
vitripat Thu, 03/15/2007 - 09:51

This cannot be determined using the MTU values on ASA or simply from the log above. We need to take packet captures on the Outside nad DMZ2 interfaces of ASA in order to determine which host is not complying to the MSS values advertised in the first communication.

I'm not sure what is the IP of the DMZ host, so I'll take two, public_ip & private_ip. With these assumptions, capture commands would look like these:

access-l cpo permit ip host host public_ip

access-l cpo permit ip host public_ip host

capture capo access-l cpo buffer 1000000 packet-length 1518 interface outside

access-l cpi permit ip host host private_ip

access-l cpi permit ip host private_ip host

capture capi access-l cpi buffer 1000000 packet-length 1518 interface inside

To download the captures, you can use following URLs if you have ASDM installed:



If you dont have ASDM, use copy command to send the captures to a TFTP server.

Hope that helps.



phillipediab Thu, 04/17/2008 - 13:54

The default on the ASA is 1380. This is different than the MTU size on the interface


This Discussion