Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACE mtu, mss size and normalization


I have a problem with MTU size (I got ICMP fragmentation needed from router, required MTU size is 1545bytes).

ok, I did some packet traces and configuration changes:


I tried change MTU size on ACE interfaces (routed mode) - without success, MTU size in packet trace was without change.


I tried change MSS on ace ifaces, because mss size between server and ace is too high (segment size 1460bytes). ok, it works (syn/syn-ack/ack phase)! but packet trace shows, that size of segments(and packets) is without change. I got always ICMP fragmentation needed.


ok, last chance is clear don't fragmetn bit in the packet ('ip df clear'). it works and communication between server and client is successful!

it may seem, that problem is solved. it is, but it works only with disabled normalization ('no normalization') and it's not acceptable.

my question is:

where can I search a problem?

with normalization enabled, packet trace on server side shows only syn/syn-ack/ack and fin/... in the same time. client side shows only client's packets, no packets from ace module.

thx for any tips


Cisco Employee

Re: ACE mtu, mss size and normalization

there are a serie of issues related to the MSS.

If you do not have A1(4) yet, I would suggest to upgrade.

Then open a service request with the TAC so we can clearly identify the problem.

CSCse63993: ACE: Same MSS value stored in both legs of L7 conn if server MSS

CSCsh39042: syn-cookie encoded MSS value is used for both legs of connection

CSCsh56158: TCP Segment larger than MSS from client when normalization off w


New Member

Re: ACE mtu, mss size and normalization

add a parameter map to the policy

New Member

Re: ACE mtu, mss size and normalization

If you think parameter-map I have it:

parameter-map type connection TCPIP_PARAM_MAP

set tcp mss min 0 max 1300 <<<<<

serverfarm host FEND

predictor leastconns

probe TCP

retcode 200 200 check count

retcode 400 420 check count

retcode 500 520 check count

rserver fend-2

rserver fend-4


class-map match-any TCP_CLASS

2 match destination-address

class-map match-all VIP-FEND-CLASS

2 match virtual-address tcp eq 81

policy-map type loadbalance first-match FEND-POLICY

class class-default

serverfarm FEND

policy-map multi-match CLIENT-VIPS


loadbalance vip inservice

loadbalance policy FEND-POLICY

loadbalance vip icmp-reply

nat dynamic 1 vlan 17

connection advanced-options TCPIP_PARAM_MAP <<<<<

policy-map multi-match TCPIP_POLICY


connection advanced-options TCPIP_PARAM_MAP <<<<<

interface vlan 17

description Server side

ip address

ip df clear


peer ip address

mtu 1400

no normalization

nat-pool 1 netmask pat

service-policy input TCPIP_POLICY <<<<<

no shutdown

interface vlan 188

description Client side

ip address

ip df clear

peer ip address

mtu 1400

no normalization

access-group input client-side

service-policy input CLIENT-VIPS <<<<<

no shutdown


Re: ACE mtu, mss size and normalization

Try to apply the parameter map in a service policy global. I had some issue with the tcp idle time. It only worked the way i wanted if the policy was assigned globally.

If you assign it to the loadbalancing policy it will only hit for the connections to the vip.

Try following:

access-list TCP line 10 extended permit tcp any any

class-map match-any TCP_TRAFFIC_CLASS

2 match access-list TCP

policy-map multi-match TCP-POLICY


connection advanced-options TCPIP_PARAM_MAP

service-policy input TCP-POLICY

I used it for the TCP idle timer after applying the policy it should work for every new connection. So if you are unsure if it works try a "clear conn all".