MSS exceeded

Unanswered Question
Sep 27th, 2010


i have asa 5540 and we are copy file from remote location to local server, we got Log on asa thats below

Dropping TCP packet from outside: dest_ip to DMZ:Ip , reasone : MSS exceeded, MSS 1380, DATA 1480

What is the reason of exceed ?

We are able to login sucessfully.

Thanks and Regards

Mitang R Prajapati.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
rmavila Mon, 09/27/2010 - 04:22

Hi Mitang,

You can please try the below :

Configure access-list to match the traffic and apply it in a policy map as follows :

pixfirewall(config)#access-list http-list2 permit tcp any any (or you can change the ACL to whatever traffic you want to allow the MSS for)
pixfirewall(config)#class-map http-map1
pixfirewall(config-cmap)#match access-list http-list2
pixfirewall(config)#tcp-map mss-map
pixfirewall(config-tcp-map)#exceed-mss allow
pixfirewall(config)#policy-map http-map1
pixfirewall(config-pmap)#class http-map1
pixfirewall(config-pmap-c)#set connection advanced-options mss-map
pixfirewall(config)#service-policy http-map1 interface outside

Do tell me how it goes.



mitang.prajapati Mon, 09/27/2010 - 20:21

Hello rahul,

thanks for support,

We are not allowed on ASA 5540 firewall to permit any any .

could you tell me what purpose of this configuration ?



rmavila Tue, 09/28/2010 - 05:59

Hi Mitang,

You can change the access-list as :

pixfirewall(config)#access-list http-list2 permit tcp host   host  .

The following will help you understand the configuration :

MSS exceeded :
To allow or drop packets whose data length exceeds the TCP maximum segment size set by the peer during a
three-way handshake, use the exceed-mss command in tcp-map configuration mode. 
set connection advanced-options :
To specify advanced TCP connection options within a policy-map for a traffic class,
use the set connection advanced-options command in class mode.
To remove advanced TCP connection options for a traffic class within a policy map, use the no form of this command.
set connection advanced-options tcp-mapname no set connection advanced-options tcp-mapname

Do tell me if you need any further help.



Christopher.Hayre Wed, 09/29/2010 - 15:53

Just  another option, you can leverage the sysopt connection tcpmss command to increase the maximum segment size on a global level if desired.  Cisco sets the MSS for ASA down to 1380 largely because of it's role as a flexible appliance (ex. for VPN reasons).  When I do deployments for non-VPN purposes, I always bump my MSS size up to allow for full 1500 MTU.




This Discussion