Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

MSS Announcing Problem

Hello,

In PIX 7.0 there is a new feature to check MSS announcment.

I found a document on CCO called: "PIX/ASA 7.0 Issue: HTTP Clients Cannot Browse to Some Web Sites"

Now I know how to mitigate that problem, but I still do not know what the problem is and why it occurs.

Can anybody explain under what conditions the "TCP MSS was too large" fires on PIX 7.0?

Thanks a lot

Markus

1 REPLY

Re: MSS Announcing Problem

Hi,

This is the URL that you were mentioning about this workaround in PIX.

http://www.cisco.com/en/US/tech/tk870/tk877/tk880/technologies_tech_note09186a008011a218.shtml#prob_desc

The TCP MSS value specifies the maximum amount of TCP data in a single IP datagram that the local system can accept (reassemble). The IP datagram can be fragmented into multiple packets when sent. Theoretically, this value can be as large as 65495, but such a large value is never used. Typically, an end system uses the "outgoing interface MTU" minus 40 as its reported MSS. For example, an Ethernet MSS value is 1460 (1500 - 40 = 1460).

As stated in the URL, there are some server appears to dishonor the TCP MSS value reported by the client. They simply ignore it and send a packet with large TCP MSS and the PIX implemention before release 7.0 allows such large TCP MSS packets.

From release 7.0, it is blocked by default.

The reason, is that you might not want to allow these packets( with large TCP MSS value) to reach the client because of a potential buffer overrun on the client. The client might not able to handles such big payloads and it can choke the performance in the client.

Thats the reason this enhancement is made from release 7.0 onwards.

Check out this URL on some more insight in to TCP MSS.

http://www.cisco.com/en/US/tech/tk870/tk877/tk880/technologies_tech_note09186a008011a218.shtml#prob_desc

HTH

-VJ

367
Views
5
Helpful
1
Replies
CreatePlease to create content