Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

MSS-exceed

ASA 5510 with a switch in the DMZ that we are trying to access the web interface over https. the connection fails and logs the error syslogid419001 Dropping TCP packet from dmz:smswitch.internal/80 to outside:cox.home/50206, reason: MSS exceeded, MSS 1260, data 1430

the firewall is running 8.03

6 REPLIES
New Member

Re: MSS-exceed

Hi,

Your client tcp maximum segment size (MSS) is set to 1260 however the switch webserver is ignoring the MSS sent by the client and sending back data exceeding the TCP MSS. v7.0 onwards default behavior is to drop this packet to defend against buffer overrun. Below document should help you. If the webserver is running on a Cisco switch maybe worth raising a TAC case once you've looked through the doc.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00804c8b9f.shtml

New Member

Re: MSS-exceed

this will fix your problem. It is set for outside interface, but you can alter for dmz

access-list mssexceed extend permit tcp any any

class-map mssexceed-map

match access-list mssexceed

policy-map mss-exceed-policy

class mssexceed-map

set connection advanced-options mss-map

tcp-map mss-map

exceed-mss allow

service-policy mss-exceed-policy interface outside

New Member

Re: MSS-exceed

from my experience, applying it on the outside interface didn't take effect. I have to apply it in a global policy and still the tcp mss exceeds kept showing up. we had to reload the ASA for the global policy to take effect

New Member

Re: MSS-exceed

from my experience, applying it on the outside interface didn't take effect. I have to apply it in a global policy and still the tcp mss exceeds kept showing up. we had to reload the ASA for the global policy to take effect

New Member

Re: MSS-exceed

a reload is really necessary..? Anyone else done this?

Re: MSS-exceed

In the past I have used:-

sysopt connection tcpmss xxxx

This was the ASA will alter the MSS on seeing the SYN and returning SYN ACK.

give it a go.

HTH

396
Views
0
Helpful
6
Replies