Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Web access to switch in DMZ issue

when we try to connect to the web interface we get this in the logs Dropping TCP packet from dmz:smswitch.internal/80 to outside:cox.home/50206, reason: MSS exceeded, MSS 1260, data 1430

6 REPLIES

Re: Web access to switch in DMZ issue

Are you running 7.x? there seems to be workaround.. check this link.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00804c8b9f.shtml

Rgds

Jorge

New Member

Re: Web access to switch in DMZ issue

Running 8.03 and tried that no joy.

New Member

Re: Web access to switch in DMZ issue

Running 8.03

Re: Web access to switch in DMZ issue

Robert, did you follow the example in the link using service-policy to activate the policy map created and apply it on outside interface? and using the keyword exceed-mss allow ?

I did some other search and found this is the only way to make this work even on version 8.0 as this is only done through policy framework class-map etc..

also on your original post you indicated this only happens on only a particular weblink , lookin at the log cox.home ? do you know the actual link dns name?

Re: Web access to switch in DMZ issue

try this script and add it to your global policy, replace server_ip with the destination dmz host ip address.

access-list http-list permit tcp any host server_ip eq 80

class-map http

match access-list http-list

tcp-map tmap

exceed-mss allow

policy-map global_policy

class http

set connection advanced-options tmap

Rgds

Jorge

New Member

Re: Web access to switch in DMZ issue

I did that previously and it didn't work. As for the DNS it is a switch and the switch does not have a dns entry. We access it by IP.

130
Views
0
Helpful
6
Replies
CreatePlease to create content