Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
1355
Views
0
Helpful
0
Comments

When the ASA 5540 is used with a VPN Client, the %PIX|ASA-4-419001: Dropping TCP packet from src_ifc:src_IP/src_port to dest_ifc:dest_IP/dest_port, reason: MSS exceeded, MSS size, data size error message is received

TCC_2
Level 10
Level 10

‎06-22-2009 05:11 PM - edited ‎03-08-2019 06:23 PM

Core issue

This %PIX|ASA-4-419001: Dropping TCP packet from src_ifc:src_IP/src_port to dest_ifc:dest_IP/dest_port, reason: MSS exceeded, MSS size, data size error message is generated when the length of the TCP packet exceeds the Maximum Segment Size (MSS) advertised in the three-way handshake.

Resolution

To resolve this issue, allow TCP packets to exceed the MSS. Use this configuration as an example of how to allow TCP packets that exceed the MSS:

# access-list (http-list)permit ip any any

# class-map (http)

# match access-list  (http-list)

# tcp-map (tmap)
# exceed-mss allow

# policy-map (global_policy)
# class (http)
# set connection advanced-options (tmap)

# service-policy (global-policy)

For more information on this error message, refer to Cisco Security Appliance System Log Messages, Version 7.0.

For more information on how to adjust the TCP MSS and the IP Maximum Transmission Unit (MTU), refer to Adjusting IP MTU, TCP MSS.

Labels:
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents