Web access to switch in DMZ issue

Unanswered Question
Dec 28th, 2007

when we try to connect to the web interface we get this in the logs Dropping TCP packet from dmz:smswitch.internal/80 to outside:cox.home/50206, reason: MSS exceeded, MSS 1260, data 1430

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
JORGE RODRIGUEZ Sat, 12/29/2007 - 10:10

Robert, did you follow the example in the link using service-policy to activate the policy map created and apply it on outside interface? and using the keyword exceed-mss allow ?

I did some other search and found this is the only way to make this work even on version 8.0 as this is only done through policy framework class-map etc..

also on your original post you indicated this only happens on only a particular weblink , lookin at the log cox.home ? do you know the actual link dns name?

JORGE RODRIGUEZ Sat, 12/29/2007 - 11:32

try this script and add it to your global policy, replace server_ip with the destination dmz host ip address.

access-list http-list permit tcp any host server_ip eq 80

class-map http

match access-list http-list

tcp-map tmap

exceed-mss allow

policy-map global_policy

class http

set connection advanced-options tmap



bob.bartlett Sat, 12/29/2007 - 16:09

I did that previously and it didn't work. As for the DNS it is a switch and the switch does not have a dns entry. We access it by IP.


This Discussion