Web access to switch in DMZ issue

bob.bartlett · ‎12-28-2007

when we try to connect to the web interface we get this in the logs Dropping TCP packet from dmz:smswitch.internal/80 to outside:cox.home/50206, reason: MSS exceeded, MSS 1260, data 1430

JORGE RODRIGUEZ · ‎12-28-2007

Are you running 7.x? there seems to be workaround.. check this link.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00804c8b9f.shtml

Rgds

Jorge

Jorge Rodriguez

bob.bartlett · ‎12-28-2007

Running 8.03 and tried that no joy.

bob.bartlett · ‎12-29-2007

Running 8.03

JORGE RODRIGUEZ · ‎12-29-2007

Robert, did you follow the example in the link using service-policy to activate the policy map created and apply it on outside interface? and using the keyword exceed-mss allow ?

I did some other search and found this is the only way to make this work even on version 8.0 as this is only done through policy framework class-map etc..

also on your original post you indicated this only happens on only a particular weblink , lookin at the log cox.home ? do you know the actual link dns name?

Jorge Rodriguez

JORGE RODRIGUEZ · ‎12-29-2007

try this script and add it to your global policy, replace server_ip with the destination dmz host ip address.

access-list http-list permit tcp any host server_ip eq 80

class-map http

match access-list http-list

tcp-map tmap

exceed-mss allow

policy-map global_policy

class http

set connection advanced-options tmap

Rgds

Jorge

Jorge Rodriguez

bob.bartlett · ‎12-29-2007

I did that previously and it didn't work. As for the DNS it is a switch and the switch does not have a dns entry. We access it by IP.