05-23-2008 11:19 AM - edited 03-11-2019 05:49 AM
Hi all,
I have some MSS issue with a ASA running 7.2
Here is the scenario
The client is a web browser (IE 6 or 7 )
The server is Appache ( don't know the version)
protocol is HTTPS - 443
When the client and the server are on the same vlan i get the following
MSS values;
During Syn - MSS proposed is 1460
During Ack - Syn MSS proposed is 1460
During Push - SSL data is 1460 bytes as expected
Now if move the browser outside a ASA running 7.2 i get the following MSS values
During Syn - MSS proposed is 1460
During Ack - Syn MSS proposed is 1380
During Push - SSL data is 536 bytes (the default values)
For some reason the client and server refuse to apply the proposed values
and the packets stays at the default values of 536 bytes.
I don't log any errors ( mss-exceeded or stuff like that)
I tried the following command but it didn't change anything
-sysopt connection tcpmss minimum 1380-
Anyone knows what to do to get better packet size ?
thanks
05-28-2008 02:40 AM
Please have a look at this link, it should help:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00804c8b9f.shtml
Please rate this post if you find it helpful
Regards
Farrukh
05-28-2008 06:03 AM
thanks for the link , but i was aware of it and the problem is not related to mss-exceeded.
The document says;
"A discovery has been made that there are a few HTTP servers on the Internet that do not honor the MSS that the client advertises".
It seems to be our case, but the server, instead of keeping a MSS of 1460 while the client is expecting 1380, it takes a MSS of 536. So we have the inverse of a mss-exceeded.
And 536 is the default MSS value before it gets changed after the MSS negociation. So for some reason the MSS proposals are dropped at the firewall , or the server refuse any proposal other than 1460.
05-28-2008 10:04 AM
Problem resolved;
Finally the problem was on the server . A misconfigured registry was disabling the Path MTU Discovery , forcing the packet size to 536
for all non-local destination IP addresses.
ref:
Windows 2000/XP
Note: The modification of the Windows NT TCP/IP parameters involves editing the registry. This should only be attempted by experienced system administrators because mistakes can render the system unbootable. After these registry changes are done, reboot to apply the changes.
Disable PMTUD:
PMTU discovery is enabled by default, but can be controlled with the addition of this value to the registry:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters
\EnablePMTUDiscovery
PMTU Discovery: 0 or 1 (Default = 1)
Data Type: DWORD
A "1" enables discovery while a "0" disables it. When PMTU discovery is disabled, a MTU of 576 bytes is used for all non-local destination IP addresses. The TCP MSS= 536.
When you set this parameter to 1 (True), it causes TCP to attempt to discover the Maximum Transmission Unit (MTU or largest packet size) over the path to a remote host. With the discovery of the Path MTU and the limitation of TCP segments to this size, TCP can eliminate fragmentation at routers along the path that connect networks with different MTUs. Fragmentation adversely affects TCP throughput and network congestion.
05-28-2008 11:20 PM
I'm glad to know that your problem is resolved now. It was Uncle Bill again.
Regards
Farrukh
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: