My pix is reporting the following message.
Dropping TCP packet from outside:xx.xx.xx.xx/3389 to inside:xx.xx.xx.xx/60983, reason: MSS exceeded, MSS 1260, data 1460
I read the article posted on the cisco website and the provided workaround did not work for me, so here I am.
PIX 515e 7.1(1) - MTU is the default 1500 on each interface.
I appreciate any help on this issue.
Kindly let us know the exact changes that you made in your network/pix after following the workaround provided in the cisco document.
The config snapshot of what you have done, will be helpful, to verify the same.
In your original post, it looks like the return traffic for an RDP session is getting droped.
Have you suitably applied the ACLs in PIX to match this traffic, in order to implement the "exceed-mss allow" workaround as stated in the document.
Changing the MTU size will NOT help, so please don't do it. This will start affecting all "working" traffic through the ASA. What I meant by "please post your fix" is you statied that you tried the workaround with no luck. Can you please post the workaround that you tried?
Hint: This should be a tcp-map
Sorry for the confusion, this is the link to the workaround. I did the documented troubleshooting as well.
Packets were still being dropped in before and after I made the change. I have already removed the workaround though, since it didn't seem to make a difference.
No I did not change the MTU and I don't plan to.
The workaround in the link is almost correct. In the link, the service policy is applied to an interface. I have never had any success with this method. I have had success applying the service policy globally. Also, the link narrows down the traffic to only one target. I always use a match any statement in my class. This should solve you issue. If not, please post your attempt and I'm sure we can figure something out.
I have the same problem as the writer of this message. I followed the example (http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00804c8b9f.shtml) but still get the same errors. I do not want to enable it globbally, even if this solved the issue. I just want to allow a server.
My server is on the INSIDE and runs some "backup" (ftp & telnet) processes torwards some remote Radio Links. Although initially the server and Radio Links negotiate for MSS 1380, the server insists on MSS 1460!
Here is the configuration I used......
access-list SERVER-RADIO-LINKS-MSS line 1 extended permit tcp host 192.168.10.70 172.16.0.0 255.255.0.0
match access-list SERVER-RADIO-LINKS-MSS
set connection advanced-options EXCEED-MSS-MAP
service-policy SERVER-RADIO-LINKS interface OUTSIDE
I opened up a ticket with Cisco for this problem and the following cured my problem.
access-list RDP_MSS permit tcp any any
match access-list RDP_MSS
set connection advanced-options tmap
If i get this right, Cisco adviced you that you should apply the class to the global_policy rather than the interface policy?
So I guess their example is not so correct after all? Did they mentioned if this is a bug/caveat or something?
Another thing, is there a reason for the access-list to be "tcp any any", would it work equally with filtering from or to a specific host?
Yes, that was copied directly out of the email i got from the cisco tech, and yes it works the same for specific host. It was a while ago so i don't remember if it was a bug or what, sorry.