MSS Exceeded issue

DanielO · ‎01-04-2007

Hello,

My pix is reporting the following message.

Dropping TCP packet from outside:xx.xx.xx.xx/3389 to inside:xx.xx.xx.xx/60983, reason: MSS exceeded, MSS 1260, data 1460

I read the article posted on the cisco website and the provided workaround did not work for me, so here I am.

PIX 515e 7.1(1) - MTU is the default 1500 on each interface.

I appreciate any help on this issue.

bthibode · ‎01-04-2007

Can you please post your fix?

DanielO · ‎01-04-2007

I don't have a fix, that's why I am posting. :)

vijayasankar · ‎01-04-2007

Hi,

Kindly let us know the exact changes that you made in your network/pix after following the workaround provided in the cisco document.

The config snapshot of what you have done, will be helpful, to verify the same.

In your original post, it looks like the return traffic for an RDP session is getting droped.

Have you suitably applied the ACLs in PIX to match this traffic, in order to implement the "exceed-mss allow" workaround as stated in the document.

-VJ

jwjorgensen · ‎01-04-2007

Did you change your MTU size?

bthibode · ‎01-05-2007

Changing the MTU size will NOT help, so please don't do it. This will start affecting all "working" traffic through the ASA. What I meant by "please post your fix" is you statied that you tried the workaround with no luck. Can you please post the workaround that you tried?

Hint: This should be a tcp-map

Bryan

DanielO · ‎01-05-2007

Sorry for the confusion, this is the link to the workaround. I did the documented troubleshooting as well.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00804c8b9f.shtml#wa

Packets were still being dropped in before and after I made the change. I have already removed the workaround though, since it didn't seem to make a difference.

No I did not change the MTU and I don't plan to.

bthibode · ‎01-06-2007

The workaround in the link is almost correct. In the link, the service policy is applied to an interface. I have never had any success with this method. I have had success applying the service policy globally. Also, the link narrows down the traffic to only one target. I always use a match any statement in my class. This should solve you issue. If not, please post your attempt and I'm sure we can figure something out.

Bryan

pavlosd · ‎07-04-2007

Hi All,

I have the same problem as the writer of this message. I followed the example (http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00804c8b9f.shtml) but still get the same errors. I do not want to enable it globbally, even if this solved the issue. I just want to allow a server.

My server is on the INSIDE and runs some "backup" (ftp & telnet) processes torwards some remote Radio Links. Although initially the server and Radio Links negotiate for MSS 1380, the server insists on MSS 1460!

Here is the configuration I used......

access-list SERVER-RADIO-LINKS-MSS line 1 extended permit tcp host 192.168.10.70 172.16.0.0 255.255.0.0

class-map SERVER-RADIO-LINKS

match access-list SERVER-RADIO-LINKS-MSS

policy-map SERVER-RADIO-LINKS

class SERVER-RADIO-LINKS

set connection advanced-options EXCEED-MSS-MAP

tcp-map EXCEED-MSS-MAP

exceed-mss allow

service-policy SERVER-RADIO-LINKS interface OUTSIDE

DanielO · ‎07-05-2007

I opened up a ticket with Cisco for this problem and the following cured my problem.

access-list RDP_MSS permit tcp any any

class-map RDP

match access-list RDP_MSS

tcp-map tmap

exceed-mss allow

policy-map global_policy

class RDP

set connection advanced-options tmap

pavlosd · ‎07-06-2007

If i get this right, Cisco adviced you that you should apply the class to the global_policy rather than the interface policy?

So I guess their example is not so correct after all? Did they mentioned if this is a bug/caveat or something?

Another thing, is there a reason for the access-list to be "tcp any any", would it work equally with filtering from or to a specific host?

Regards.

DanielO · ‎07-07-2007

Yes, that was copied directly out of the email i got from the cisco tech, and yes it works the same for specific host. It was a while ago so i don't remember if it was a bug or what, sorry.