MSS-exceed

Unanswered Question
Dec 28th, 2007
User Badges:

ASA 5510 with a switch in the DMZ that we are trying to access the web interface over https. the connection fails and logs the error syslogid419001 Dropping TCP packet from dmz:smswitch.internal/80 to outside:cox.home/50206, reason: MSS exceeded, MSS 1260, data 1430

the firewall is running 8.03

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
phil.davenport Mon, 12/31/2007 - 15:54
User Badges:

Hi,

Your client tcp maximum segment size (MSS) is set to 1260 however the switch webserver is ignoring the MSS sent by the client and sending back data exceeding the TCP MSS. v7.0 onwards default behavior is to drop this packet to defend against buffer overrun. Below document should help you. If the webserver is running on a Cisco switch maybe worth raising a TAC case once you've looked through the doc.


http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00804c8b9f.shtml


whanson Wed, 01/09/2008 - 16:02
User Badges:

this will fix your problem. It is set for outside interface, but you can alter for dmz


access-list mssexceed extend permit tcp any any


class-map mssexceed-map

match access-list mssexceed



policy-map mss-exceed-policy

class mssexceed-map

set connection advanced-options mss-map




tcp-map mss-map

exceed-mss allow

service-policy mss-exceed-policy interface outside

phillipediab Thu, 04/17/2008 - 13:58
User Badges:

from my experience, applying it on the outside interface didn't take effect. I have to apply it in a global policy and still the tcp mss exceeds kept showing up. we had to reload the ASA for the global policy to take effect

phillipediab Thu, 04/17/2008 - 13:59
User Badges:

from my experience, applying it on the outside interface didn't take effect. I have to apply it in a global policy and still the tcp mss exceeds kept showing up. we had to reload the ASA for the global policy to take effect

opers13 Mon, 05/19/2008 - 14:20
User Badges:

a reload is really necessary..? Anyone else done this?

Actions

This Discussion