11-05-2009 09:04 AM - edited 03-11-2019 09:36 AM
Hi guys,
I'm seeing something strange on my ASA log :
Dropping TCP packet from dmz:10.x.x.x/23 to inside:10.x.x.x/45762, reason: MSS exceeded, MSS 536, data 556
536 ?? Am i reading well ?
When i do sh run sysopt :
no sysopt connection timewait
sysopt connection tcpmss 1380
sysopt connection tcpmss minimum 0
no sysopt nodnsalias inbound
no sysopt nodnsalias outbound
no sysopt radius ignore-secret
sysopt connection permit-vpn
no sysopt connection reclassify-vpn
Why are these packets being dropped ?
11-05-2009 01:47 PM
It means your host is sending more data than it initally negotiated that it could. Usually a badly written application does this, can be allowed by doing a tcp map for that flow and allowing exceed mss.
11-05-2009 01:57 PM
It's curious, the packets dropped are from a telnet session beetween a cisco router inside and a cisco switch in dmz...
11-05-2009 04:39 PM
that is strange, have you tried it from a windows pc with telnet to that device in the dmz instead ?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: