Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

MSS Exceeded - Is the Cisco interpretation of RFC 879 correct?

I recently encountered the well-known problem where the PIX will drop packets that it believes exceed the MSS for an established connection. I read and implemented the workaround in this document:

The real problem that I have is *not* that the TCP stack on either the client or the server is misbehaving. I believe the problem is that Cisco has misinterpreted the RFC. The client and server are acting as per RFC879. Here is a direct quote from that RFC:

3. The TCP Maximum Segment Size Option

TCP provides an option that may be used at the time a connection is

established (only) to indicate the maximum size TCP segment that can

be accepted on that connection. This Maximum Segment Size (MSS)

announcement (often mistakenly called a negotiation) is sent from the

data receiver to the data sender and says "I can accept TCP segments

up to size X". The size (X) may be larger or smaller than the

default. The MSS can be used completely independently in each

direction of data flow. The result may be quite different maximum

sizes in the two directions.

The key phrase in that is "The MSS can be used completely independently in each direction of data flow." Our server is advertising an MSS of 1460 and the client is advertising an MSS of 1380.

The PIX is logging the following message:

%PIX-4-419001: Dropping TCP packet from outside:<client-ip-address-removed>/4815 to

dmz:<server-ip-address-removed>/25, reason: MSS exceeded, MSS 1380, data 1420

Cisco apparently believes that the lower of the two MSS should be used in both directions of the flow instead of allowing independent MSS for each direction of the flow.

I have also found other documentation on referring to IOS code that has this same policy. I can provide it upon request.

Why does the PIX expect the lower of the two MSS to be used?

CreatePlease login to create content