We're experiencing strange behaviour whereby certain VPN users are being dropped when connecting from their home broadband which only affects people with D-Link home routers. We are using Checkpoint VPN-1 for the VPN concentration, which must first pass through a PIX-525 running v7.0(6) and the PIX is dropping the connecting with the error message 'MSS exceeded, MSS 1024, data 1360).
It looks like the default MSS for the device is 1024 so I've increased it to 1370 and the PIX allowed the connections through. Now I'm getting 'MSS exceeded, MSS 1370, data 1460' and the PIX is dropping connections again.
Given the fact that the maximum segment size for TCP proxy connection is already fixed at 1380 will it create a problem if I keep increasing the minimum value?
By the way, users' with Netgear / Belkin etc. home routers connect fine. Only affects users' with D-Link home routers.
Any ideas what the optimum maximum and minimum segment size should be set to?
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...