Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Silver

sysopt connection tcpmss and MTU of 9216

Hi All

We have a new ASA5585 as an internal firewall that will slowly replace our aging FWSM. For optimum performance it was adviced on the FWSM to set sysopt connection tcpmss to 0, even though using MTU of 1500.

On the new ASA are we now going to enable MTU of 9216 for the contexts. The ASA is running in transparent multicontext mode.

I read this here: http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080ba9521.shtml which advises against setting the tcpmss to 0. But if I understand it correct, that means that the MTU of 9216 is useless, right?

So in our case it would be needed to turn of the tcpmss feature to actually use the higher MTU?

Thanks

Pato

Everyone's tags (4)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

sysopt connection tcpmss and MTU of 9216

Pato,

Jumbo frames support:

http://www.cisco.com/en/US/docs/security/asa/asa84/command/reference/jk.html#wp1633967

having a look at internal documentation we suggest setting MSS to 9096 (120 bytes lower tahn MTU) while typically we would set it to 40 bytes lower.

Now what you need to remember that we will use lower of the two MSSes advertised by peers.

M.

5 REPLIES
Cisco Employee

sysopt connection tcpmss and MTU of 9216

Pato,

Jumbo frames support:

http://www.cisco.com/en/US/docs/security/asa/asa84/command/reference/jk.html#wp1633967

having a look at internal documentation we suggest setting MSS to 9096 (120 bytes lower tahn MTU) while typically we would set it to 40 bytes lower.

Now what you need to remember that we will use lower of the two MSSes advertised by peers.

M.

Silver

sysopt connection tcpmss and MTU of 9216

Thanks for the clarification!

New Member

sysopt connection tcpmss and MTU of 9216

Hello Marcin,

please can you clarify the following questions:

if I enable Jumbo frames support on an interface it is necessary to enable it on all the interfaces ?

if I have a cluster A/S and I enable the Jumbo frames support is it necessary to configure also the "Stateful Failover"

interface ?

as the "sysopt connection tcpmss 9096" is a global system configuration is it possible to configure only 2 interfaces with mtu 9216 and leave all other interfaces to the default 1500 ?

Best Regards

Roberto Taccon

Cisco Employee

sysopt connection tcpmss and MTU of 9216

Roberto.

My knowledge about this feature is from several years ago, feel free to doublecheck.

Enabling jumbo frame  resevation/forwarding does not increase the MTU automatically - you need to explicitly raise your MTU.

You can leave failover interface as is.

M.

Cisco Employee

sysopt connection tcpmss and MTU of 9216

This is now documented online:

ASA: Receiving and Transmitting Jumbo Ethernet Frames

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080bd7524.shtml

5541
Views
0
Helpful
5
Replies
CreatePlease to create content