How to handle"MSS exceeded" error message

Unanswered Question
Sep 10th, 2008
User Badges:

The ASA firewall's syslog messg indicates that the Public IP of the email server xx.xx.xx.ww/443 dropped TCP packets to the ASA public IP xx.xx.xx.yy/34018 due to MSS exceeded.

Is there a security or performance issue to allow all packets that exceed the MSS?

09-09-2008 09:34:37 Local4.Warning 192.168.xx.xx Sep 09 2008 09:43:12: %ASA-4-419001: Dropping TCP packet from outside:xx.xx.xx.ww/443 to Inside:xx.xx.xx.yy/34018, reason: MSS exceeded, MSS 1260, data 1460

Thanks.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (3 ratings)
Loading.
suschoud Wed, 09/10/2008 - 08:38
User Badges:
  • Gold, 750 points or more

Hi,



Here are the commands :


ASA-5510-8x(config)# access-list http-list2 permit ip any any

ASA-5510-8x(config)# class-map http-map1

ASA-5510-8x(config-cmap)# match access-list http-list2

ASA-5510-8x(config-cmap)# exit

ASA-5510-8x(config)# tcp-map mss-map

ASA-5510-8x(config-tcp-map)# exceed-mss allow

ASA-5510-8x(config-tcp-map)# exit

ASA-5510-8x(config)# policy-map global_policy

ASA-5510-8x(config-pmap)# class http-map1

ASA-5510-8x(config-pmap-c)# set connection advanced-options mss-map

ASA-5510-8x(config-pmap-c)# exit

ASA-5510-8x(config-pmap)# exit



Do rate helpful posts.


Regards,

Sushil


saidfrh Wed, 09/10/2008 - 08:52
User Badges:

Sushil,

In the 3-way TCP handshake, the length of the TCP packet is negotiated. When the packets are routed the length of the TCP packets exceed the negotiated length. Is the above normal?


Is there a security issue allowing all IP packets with differenet lengths to enter the firewall?

suschoud Wed, 09/10/2008 - 09:11
User Badges:
  • Gold, 750 points or more

the default mss ( meximum segment size ) of 1380 is good enough for most of the ethernet networks.however,if a segment comes with a size of mode then 1380,firewall drops it.segments of size of more then 1380 is normal ,depending on what media is used for communication.Allowing such packets do not introduce any security risks....it's an add on security feature of asa which let you know that some packets are not following the default rfc standards.....i have never seen any issues when such packets are allowed through f/w ( believe me,in TAC,we see this every next day . :)



Please rate if helpful



Regards,

Sushil

saidfrh Wed, 09/10/2008 - 10:03
User Badges:

Sushil,


This is a production firewall. Would copying and pasting your configuration effect the network?

suschoud Wed, 09/10/2008 - 10:44
User Badges:
  • Gold, 750 points or more

Coulld you paste the show commands below :



sh run policy-map

sh run class-map

sh run service-policy


Accordingly,I would let you know.



Regards,

Sushil

saidfrh Wed, 09/10/2008 - 11:34
User Badges:

policy-map type inspect dns migrated_dns_map_1

parameters

message-length maximum 1500

policy-map global_policy

class inspection_default

inspect dns migrated_dns_map_1

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect icmp error

class ips-class

ips inline fail-open

policy-map ips-pol

class ips-class

ips inline fail-open



class-map ips-class

match access-list ips

class-map inspection_default

match default-inspection-traffic

!

service-policy global_policy global

suschoud Wed, 09/10/2008 - 11:36
User Badges:
  • Gold, 750 points or more

Perfect,


Go ahead and add the commands with NO WORRIES.

Please rate if helpful. :)




Regards,

Sushil

cnj_bucks Wed, 01/20/2010 - 07:25
User Badges:

We are having a similar issue.  We have an ASA5505 and on this network we have a scanner/copier that does scan to email.  We are noticing that when the copier/scanner attempts to contact an email server that resides on the other side of the tunnel, we are getting the 419001 error messages.


Will the code you posted work for this?  The destination port for this traffic is 25.

Actions

This Discussion