03-15-2007 02:11 AM - edited 03-11-2019 02:46 AM
ok so I know that the ASA is dropping packets beacuse of an TCP MSS mismatch.
and I know how to tune the ASA not to do it.
but my question is based on this log, what device is setting the MSS at 1380, beacuse as far as I can see everything is set at MTU1500
%ASA-4-419001: Dropping TCP packet from Outside:185.212.19.44/1930 to DMZ2:Host_A/25, reason: MSS exceeded, MSS 1380, data 1400
03-15-2007 09:51 AM
This cannot be determined using the MTU values on ASA or simply from the log above. We need to take packet captures on the Outside nad DMZ2 interfaces of ASA in order to determine which host is not complying to the MSS values advertised in the first communication.
I'm not sure what is the IP of the DMZ host, so I'll take two, public_ip & private_ip. With these assumptions, capture commands would look like these:
access-l cpo permit ip host 185.212.19.44 host public_ip
access-l cpo permit ip host public_ip host 185.212.19.44
capture capo access-l cpo buffer 1000000 packet-length 1518 interface outside
access-l cpi permit ip host 185.212.19.44 host private_ip
access-l cpi permit ip host private_ip host 185.212.19.44
capture capi access-l cpi buffer 1000000 packet-length 1518 interface inside
To download the captures, you can use following URLs if you have ASDM installed:
https://interface_ip/capture/capo/pcap
https://interface_ip/capture/capi/pcap
If you dont have ASDM, use copy command to send the captures to a TFTP server.
Hope that helps.
Regards,
Vibhor.
04-17-2008 01:54 PM
The default on the ASA is 1380. This is different than the MTU size on the interface
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: