Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

When the ASA 5540 is used with a VPN Client, the %PIX|ASA-4-419001: Dropping TCP packet from src_ifc:src_IP/src_port to dest_ifc:dest_IP/dest_port, reason: MSS exceeded, MSS size, data size error message is received

Core issue

This %PIX|ASA-4-419001: Dropping TCP packet from src_ifc:src_IP/src_port to dest_ifc:dest_IP/dest_port, reason: MSS exceeded, MSS size, data size error message is generated when the length of the TCP packet exceeds the Maximum Segment Size (MSS) advertised in the three-way handshake.

Resolution

To resolve this issue, allow TCP packets to exceed the MSS. Use this configuration as an example of how to allow TCP packets that exceed the MSS:

# access-list (http-list)permit ip any any

# class-map (http)

# match access-list  (http-list)

# tcp-map (tmap)
# exceed-mss allow

# policy-map (global_policy)
# class (http)
# set connection advanced-options (tmap)

# service-policy (global-policy)

For more information on this error message, refer to Cisco Security Appliance System Log Messages, Version 7.0.

For more information on how to adjust the TCP MSS and the IP Maximum Transmission Unit (MTU), refer to Adjusting IP MTU, TCP MSS.

Version history
Revision #:
1 of 1
Last update:
‎06-22-2009 05:11 PM
Updated by:
 
Labels (1)