Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
219
Views
0
Helpful
1
Replies

VPN Traffic Problem

helfrich
Level 1
Level 1

‎12-02-2007 05:03 AM - edited ‎03-11-2019 04:37 AM

Hello,

i've got a strange Problem. I can establish a Tunnel between an PIX 515e (8.0.3) and an ASA Device 5510 7.0.6 Ping works, HTTP for example throws MSS Exceed on the ASA. PIX and ASA configured to allow mss-exceed via service Policy. The Data Size is always about 1443 Bytes. The sysopt tcpmss value is set t o1380 which should be enough for payload and IPSEC Header. The error Message says MSS Exceed MSS 1260 Data bytes 1443 ... ??? What the Hell can i do the reduce the payload. Changing the MTU size doesn't help.

I discover that the Problem arrives if i do an upgrade to ASA/PIXOS later than 7.0.6 because i have a second l2l tunnel to an Checkpoint device and if i upgrade the asa, this tunnel doesn't wokr for large Packets..

Any help is need...

greetings markus

Labels:
0 Helpful
1 Reply 1

didyap
Level 6
Level 6

‎12-10-2007 07:08 AM

Check the config for allowing mss-exceed. Following is an example config:

access-list http-list permit ip any any

!

class-map http match

access-list http-list

exit

!

tcp-map tmap

exceed-mss allow

exit

!

policy-map global_policy

class http

set connection advanced-options tmap

!

service-policy global_policy global

Also check for the traffic that is being denied and check if you have configured this for the right traffic.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card