IPSec VPN Remote-Access and TCP MSS issue

Unanswered Question
Apr 17th, 2010


I'd like your advice about an issue with IPSec and TCP MSS.

I have the following architecture in production

Cisco VPN Client------------------PacketShaper---------------------------------VPN 3000-------------------LAN

TCP MSS 1300                   TCP Window Sizing                              TCP MSS 1280

                                         equals to TCP MSS=1460

The Cisco VPN Client can connect to the VPN 3000 (IPSec VPN Remote-Access connection) and send/receive traffic.

I decided to change the VPN 3000 by a Cisco ASA 5510.

On the Cisco ASA, I entered the same command "sysopt connection tcpmss 1280" but it failed.

We can see the IKE Phase 1 & 2 established (IPSec tunnel OK). But no traffic possible and after 2minutes, a timeout occurs.

So, on the PacketShaped, we decided to disabled the TCP Window Sizing on the PacketShaper. Success.

BUT, why such a difference between a VPN 3000 and ASA with IPSec tunnel ????

Have you ever met something like that ?

I don't want to change the PackerShaper configuratio, because the TCP Window Sizing is for all connections.
On Cisco ASA, I can't find any solution.

Here're my tests:

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Tableau Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0cm 5.4pt 0cm 5.4pt; mso-para-margin:0cm; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi;}


VPN 3000


TCP Window Sizing enabled

TCP MSS = 1460

Command :
sysopt   connection tcpmss 1280





TCP Window Sizing enabled

TCP MSS=1460

no command (so TCP MSS=1380 by default)


TCP Window Size enabled
TCP MSS=1460

Command :
sysopt connection tcpmss 1280


TCP Window Size disabled

no command (so TCP MSS=1380 by default)


Thanks for any answer.


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
sverbeek-cap Mon, 07/12/2010 - 01:50

Hi Leon,

We experience exactly the same issue here when replacing a VPN 3000 with an ASA 5540.

Did you eventually find a solution?



Jason Gervia Mon, 07/12/2010 - 06:53


What kind of VPN are you using?  The VPN client connection by default is either ESP protocol 50 or UDP encapsulated ESP on port 4500, so a MSS adjustments on encrypted packets (that aren't even TCP) won't have an effect.

Are you using IPSEC over TCP?


sverbeek-cap Tue, 07/13/2010 - 00:28

Hi Jason,

Yes indeed, we are using IPSEC over TCP port 443, forgot to mention that.




This Discussion