VPN Traffic Problem

Unanswered Question


i've got a strange Problem. I can establish a Tunnel between an PIX 515e (8.0.3) and an ASA Device 5510 7.0.6 Ping works, HTTP for example throws MSS Exceed on the ASA. PIX and ASA configured to allow mss-exceed via service Policy. The Data Size is always about 1443 Bytes. The sysopt tcpmss value is set t o1380 which should be enough for payload and IPSEC Header. The error Message says MSS Exceed MSS 1260 Data bytes 1443 ... ??? What the Hell can i do the reduce the payload. Changing the MTU size doesn't help.

I discover that the Problem arrives if i do an upgrade to ASA/PIXOS later than 7.0.6 because i have a second l2l tunnel to an Checkpoint device and if i upgrade the asa, this tunnel doesn't wokr for large Packets..

Any help is need...

greetings markus

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
didyap Mon, 12/10/2007 - 07:08
User Badges:
  • Silver, 250 points or more

Check the config for allowing mss-exceed. Following is an example config:

access-list http-list permit ip any any


class-map http match

access-list http-list



tcp-map tmap

exceed-mss allow



policy-map global_policy

class http

set connection advanced-options tmap


service-policy global_policy global

Also check for the traffic that is being denied and check if you have configured this for the right traffic.


This Discussion