Help with log output ,regarding MSS

arnis · ‎03-15-2007

ok so I know that the ASA is dropping packets beacuse of an TCP MSS mismatch.

and I know how to tune the ASA not to do it.

but my question is based on this log, what device is setting the MSS at 1380, beacuse as far as I can see everything is set at MTU1500

%ASA-4-419001: Dropping TCP packet from Outside:185.212.19.44/1930 to DMZ2:Host_A/25, reason: MSS exceeded, MSS 1380, data 1400

vitripat · ‎03-15-2007

This cannot be determined using the MTU values on ASA or simply from the log above. We need to take packet captures on the Outside nad DMZ2 interfaces of ASA in order to determine which host is not complying to the MSS values advertised in the first communication.

I'm not sure what is the IP of the DMZ host, so I'll take two, public_ip & private_ip. With these assumptions, capture commands would look like these:

access-l cpo permit ip host 185.212.19.44 host public_ip

access-l cpo permit ip host public_ip host 185.212.19.44

capture capo access-l cpo buffer 1000000 packet-length 1518 interface outside

access-l cpi permit ip host 185.212.19.44 host private_ip

access-l cpi permit ip host private_ip host 185.212.19.44

capture capi access-l cpi buffer 1000000 packet-length 1518 interface inside

To download the captures, you can use following URLs if you have ASDM installed:

https://interface_ip/capture/capo/pcap

https://interface_ip/capture/capi/pcap

If you dont have ASDM, use copy command to send the captures to a TFTP server.

Hope that helps.

Regards,

Vibhor.

phillipediab · ‎04-17-2008

The default on the ASA is 1380. This is different than the MTU size on the interface