Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8453
Views
0
Helpful
5
Replies

sysopt connection tcpmss and MTU of 9216

Go to solution
patoberli
VIP Alumni
VIP Alumni

‎05-09-2012 07:39 AM - edited ‎03-11-2019 04:04 PM

Hi All

We have a new ASA5585 as an internal firewall that will slowly replace our aging FWSM. For optimum performance it was adviced on the FWSM to set sysopt connection tcpmss to 0, even though using MTU of 1500.

On the new ASA are we now going to enable MTU of 9216 for the contexts. The ASA is running in transparent multicontext mode.

I read this here: http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080ba9521.shtml which advises against setting the tcpmss to 0. But if I understand it correct, that means that the MTU of 9216 is useless, right?

So in our case it would be needed to turn of the tcpmss feature to actually use the higher MTU?

Thanks

Pato

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎05-09-2012 08:57 AM

Pato,

Jumbo frames support:

http://www.cisco.com/en/US/docs/security/asa/asa84/command/reference/jk.html#wp1633967

having a look at internal documentation we suggest setting MSS to 9096 (120 bytes lower tahn MTU) while typically we would set it to 40 bytes lower.

Now what you need to remember that we will use lower of the two MSSes advertised by peers.

M.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎05-09-2012 08:57 AM

Pato,

Jumbo frames support:

http://www.cisco.com/en/US/docs/security/asa/asa84/command/reference/jk.html#wp1633967

having a look at internal documentation we suggest setting MSS to 9096 (120 bytes lower tahn MTU) while typically we would set it to 40 bytes lower.

Now what you need to remember that we will use lower of the two MSSes advertised by peers.

M.

0 Helpful

Go to solution
patoberli
VIP Alumni
VIP Alumni
In response to Marcin Latosiewicz

‎05-09-2012 09:16 AM

Thanks for the clarification!

0 Helpful

Go to solution
ROBERTO TACCON
Level 4
Level 4
In response to Marcin Latosiewicz

‎05-09-2012 11:26 AM

Hello Marcin,

please can you clarify the following questions:

if I enable Jumbo frames support on an interface it is necessary to enable it on all the interfaces ?

if I have a cluster A/S and I enable the Jumbo frames support is it necessary to configure also the "Stateful Failover"

interface ?

as the "sysopt connection tcpmss 9096" is a global system configuration is it possible to configure only 2 interfaces with mtu 9216 and leave all other interfaces to the default 1500 ?

Best Regards

Roberto Taccon

0 Helpful

Go to solution
Marcin Latosiewicz
Cisco Employee
Cisco Employee
In response to ROBERTO TACCON

‎05-09-2012 12:22 PM

Roberto.

My knowledge about this feature is from several years ago, feel free to doublecheck.

Enabling jumbo frame  resevation/forwarding does not increase the MTU automatically - you need to explicitly raise your MTU.

You can leave failover interface as is.

M.

0 Helpful

Go to solution
Jay Johnston
Cisco Employee
Cisco Employee
In response to Marcin Latosiewicz

‎12-20-2012 02:52 PM

This is now documented online:

ASA: Receiving and Transmitting Jumbo Ethernet Frames

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080bd7524.shtml

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card