Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

MSS drops

We're experiencing strange behaviour whereby certain VPN users are being dropped when connecting from their home broadband which only affects people with D-Link home routers. We are using Checkpoint VPN-1 for the VPN concentration, which must first pass through a PIX-525 running v7.0(6) and the PIX is dropping the connecting with the error message 'MSS exceeded, MSS 1024, data 1360).

It looks like the default MSS for the device is 1024 so I've increased it to 1370 and the PIX allowed the connections through. Now I'm getting 'MSS exceeded, MSS 1370, data 1460' and the PIX is dropping connections again.

Given the fact that the maximum segment size for TCP proxy connection is already fixed at 1380 will it create a problem if I keep increasing the minimum value?

By the way, users' with Netgear / Belkin etc. home routers connect fine. Only affects users' with D-Link home routers.

Any ideas what the optimum maximum and minimum segment size should be set to?

joe Bronze

Re: MSS drops

A best practice is to use the cisco vpn client's setmtu.exe utility to set the client computer's MTU to 1300

this will prevent these types of issues.

This is the standard policy for our clients to avoid support issues such as this.