Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
701
Views
0
Helpful
3
Replies

MSS Exceeded on ASA 8.0

mathieu.ploton
Level 1
Level 1

‎11-05-2009 09:04 AM - edited ‎03-11-2019 09:36 AM

Hi guys,

I'm seeing something strange on my ASA log :

Dropping TCP packet from dmz:10.x.x.x/23 to inside:10.x.x.x/45762, reason: MSS exceeded, MSS 536, data 556

536 ?? Am i reading well ?

When i do sh run sysopt :

no sysopt connection timewait

sysopt connection tcpmss 1380

sysopt connection tcpmss minimum 0

no sysopt nodnsalias inbound

no sysopt nodnsalias outbound

no sysopt radius ignore-secret

sysopt connection permit-vpn

no sysopt connection reclassify-vpn

Why are these packets being dropped ?

Labels:
0 Helpful
3 Replies 3

jan.nielsen
Level 7
Level 7

‎11-05-2009 01:47 PM

It means your host is sending more data than it initally negotiated that it could. Usually a badly written application does this, can be allowed by doing a tcp map for that flow and allowing exceed mss.

0 Helpful

mathieu.ploton
Level 1
Level 1
In response to jan.nielsen

‎11-05-2009 01:57 PM

It's curious, the packets dropped are from a telnet session beetween a cisco router inside and a cisco switch in dmz...

0 Helpful

jan.nielsen
Level 7
Level 7
In response to mathieu.ploton

‎11-05-2009 04:39 PM

that is strange, have you tried it from a windows pc with telnet to that device in the dmz instead ?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card