Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

MSS exceeded

   Hello,

i have asa 5540 and we are copy file from remote location to local server, we got Log on asa thats below

Dropping TCP packet from outside: dest_ip to DMZ:Ip , reasone : MSS exceeded, MSS 1380, DATA 1480

What is the reason of exceed ?

We are able to login sucessfully.

Thanks and Regards

Mitang R Prajapati.

4 REPLIES
Cisco Employee

Re: MSS exceeded

Hi Mitang,

You can please try the below :

Configure access-list to match the traffic and apply it in a policy map as follows :


pixfirewall(config)#access-list http-list2 permit tcp any any (or you can change the ACL to whatever traffic you want to allow the MSS for)
pixfirewall(config)#class-map http-map1
pixfirewall(config-cmap)#match access-list http-list2
pixfirewall(config-cmap)#exit
pixfirewall(config)#tcp-map mss-map
pixfirewall(config-tcp-map)#exceed-mss allow
pixfirewall(config-tcp-map)#exit
pixfirewall(config)#policy-map http-map1
pixfirewall(config-pmap)#class http-map1
pixfirewall(config-pmap-c)#set connection advanced-options mss-map
pixfirewall(config-pmap-c)#exit
pixfirewall(config-pmap)#exit
pixfirewall(config)#service-policy http-map1 interface outside

Do tell me how it goes.

Regards

Rahul

New Member

Re: MSS exceeded

Hello rahul,

thanks for support,

We are not allowed on ASA 5540 firewall to permit any any .

could you tell me what purpose of this configuration ?

Regards

Mitang

Cisco Employee

Re: MSS exceeded

Hi Mitang,

You can change the access-list as :

pixfirewall(config)#access-list http-list2 permit tcp host   host  .

The following will help you understand the configuration :

MSS exceeded :
To allow or drop packets whose data length exceeds the TCP maximum segment size set by the peer during a
three-way handshake, use the exceed-mss command in tcp-map configuration mode. 
set connection advanced-options :
To specify advanced TCP connection options within a policy-map for a traffic class,
use the set connection advanced-options command in class mode.
To remove advanced TCP connection options for a traffic class within a policy map, use the no form of this command.
set connection advanced-options tcp-mapname no set connection advanced-options tcp-mapname

Do tell me if you need any further help.

Regards,

Rahul

New Member

Re: MSS exceeded

Just  another option, you can leverage the sysopt connection tcpmss command to increase the maximum segment size on a global level if desired.  Cisco sets the MSS for ASA down to 1380 largely because of it's role as a flexible appliance (ex. for VPN reasons).  When I do deployments for non-VPN purposes, I always bump my MSS size up to allow for full 1500 MTU.

Thanks,

Christopher

1844
Views
0
Helpful
4
Replies
CreatePlease to create content