Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Help with log output ,regarding MSS

ok so I know that the ASA is dropping packets beacuse of an TCP MSS mismatch.

and I know how to tune the ASA not to do it.

but my question is based on this log, what device is setting the MSS at 1380, beacuse as far as I can see everything is set at MTU1500

%ASA-4-419001: Dropping TCP packet from Outside: to DMZ2:Host_A/25, reason: MSS exceeded, MSS 1380, data 1400


Re: Help with log output ,regarding MSS

This cannot be determined using the MTU values on ASA or simply from the log above. We need to take packet captures on the Outside nad DMZ2 interfaces of ASA in order to determine which host is not complying to the MSS values advertised in the first communication.

I'm not sure what is the IP of the DMZ host, so I'll take two, public_ip & private_ip. With these assumptions, capture commands would look like these:

access-l cpo permit ip host host public_ip

access-l cpo permit ip host public_ip host

capture capo access-l cpo buffer 1000000 packet-length 1518 interface outside

access-l cpi permit ip host host private_ip

access-l cpi permit ip host private_ip host

capture capi access-l cpi buffer 1000000 packet-length 1518 interface inside

To download the captures, you can use following URLs if you have ASDM installed:



If you dont have ASDM, use copy command to send the captures to a TFTP server.

Hope that helps.



Community Member

Re: Help with log output ,regarding MSS

The default on the ASA is 1380. This is different than the MTU size on the interface

CreatePlease to create content