01-04-2007 09:23 AM - edited 03-11-2019 02:15 AM
Hello,
My pix is reporting the following message.
Dropping TCP packet from outside:xx.xx.xx.xx/3389 to inside:xx.xx.xx.xx/60983, reason: MSS exceeded, MSS 1260, data 1460
I read the article posted on the cisco website and the provided workaround did not work for me, so here I am.
PIX 515e 7.1(1) - MTU is the default 1500 on each interface.
I appreciate any help on this issue.
01-04-2007 06:41 PM
Can you please post your fix?
01-04-2007 07:00 PM
I don't have a fix, that's why I am posting. :)
01-04-2007 09:55 PM
Hi,
Kindly let us know the exact changes that you made in your network/pix after following the workaround provided in the cisco document.
The config snapshot of what you have done, will be helpful, to verify the same.
In your original post, it looks like the return traffic for an RDP session is getting droped.
Have you suitably applied the ACLs in PIX to match this traffic, in order to implement the "exceed-mss allow" workaround as stated in the document.
-VJ
01-04-2007 08:57 PM
Did you change your MTU size?
01-05-2007 07:08 AM
Changing the MTU size will NOT help, so please don't do it. This will start affecting all "working" traffic through the ASA. What I meant by "please post your fix" is you statied that you tried the workaround with no luck. Can you please post the workaround that you tried?
Hint: This should be a tcp-map
Bryan
01-05-2007 08:37 AM
Sorry for the confusion, this is the link to the workaround. I did the documented troubleshooting as well.
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00804c8b9f.shtml#wa
Packets were still being dropped in before and after I made the change. I have already removed the workaround though, since it didn't seem to make a difference.
No I did not change the MTU and I don't plan to.
01-06-2007 12:28 PM
The workaround in the link is almost correct. In the link, the service policy is applied to an interface. I have never had any success with this method. I have had success applying the service policy globally. Also, the link narrows down the traffic to only one target. I always use a match any statement in my class. This should solve you issue. If not, please post your attempt and I'm sure we can figure something out.
Bryan
07-04-2007 08:46 PM
Hi All,
I have the same problem as the writer of this message. I followed the example (http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00804c8b9f.shtml) but still get the same errors. I do not want to enable it globbally, even if this solved the issue. I just want to allow a server.
My server is on the INSIDE and runs some "backup" (ftp & telnet) processes torwards some remote Radio Links. Although initially the server and Radio Links negotiate for MSS 1380, the server insists on MSS 1460!
Here is the configuration I used......
access-list SERVER-RADIO-LINKS-MSS line 1 extended permit tcp host 192.168.10.70 172.16.0.0 255.255.0.0
class-map SERVER-RADIO-LINKS
match access-list SERVER-RADIO-LINKS-MSS
policy-map SERVER-RADIO-LINKS
class SERVER-RADIO-LINKS
set connection advanced-options EXCEED-MSS-MAP
tcp-map EXCEED-MSS-MAP
exceed-mss allow
service-policy SERVER-RADIO-LINKS interface OUTSIDE
07-05-2007 06:59 AM
I opened up a ticket with Cisco for this problem and the following cured my problem.
access-list RDP_MSS permit tcp any any
class-map RDP
match access-list RDP_MSS
tcp-map tmap
exceed-mss allow
policy-map global_policy
class RDP
set connection advanced-options tmap
07-06-2007 10:51 PM
If i get this right, Cisco adviced you that you should apply the class to the global_policy rather than the interface policy?
So I guess their example is not so correct after all? Did they mentioned if this is a bug/caveat or something?
Another thing, is there a reason for the access-list to be "tcp any any", would it work equally with filtering from or to a specific host?
Regards.
Regards.
07-07-2007 10:23 AM
Yes, that was copied directly out of the email i got from the cisco tech, and yes it works the same for specific host. It was a while ago so i don't remember if it was a bug or what, sorry.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: