MSS drops

Unanswered Question
Nov 14th, 2008
User Badges:

We're experiencing strange behaviour whereby certain VPN users are being dropped when connecting from their home broadband which only affects people with D-Link home routers. We are using Checkpoint VPN-1 for the VPN concentration, which must first pass through a PIX-525 running v7.0(6) and the PIX is dropping the connecting with the error message 'MSS exceeded, MSS 1024, data 1360).

It looks like the default MSS for the device is 1024 so I've increased it to 1370 and the PIX allowed the connections through. Now I'm getting 'MSS exceeded, MSS 1370, data 1460' and the PIX is dropping connections again.

Given the fact that the maximum segment size for TCP proxy connection is already fixed at 1380 will it create a problem if I keep increasing the minimum value?

By the way, users' with Netgear / Belkin etc. home routers connect fine. Only affects users' with D-Link home routers.

Any ideas what the optimum maximum and minimum segment size should be set to?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)


This Discussion