Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PIX 6.3 IPSec tunnels and MSS

I have been looking to see if PIX 6.3 has the same capabilites as listed in the following link.

http://www.cisco.com/en/US/customer/tech/tk827/tk369/technologies_white_paper09186a00800d6979.shtml

Basically we deploy IPSec tunnels to various clients, on the routers we have found it is very effective to implment the following on our routers to account for the additional headers added by a tunnel...

interface Tunnel0

ip tcp adjust-mss 1370

This uses TCP to adjust the host MTU so I don't have worry about packets being fragmented to pass through the tunnel.

I was wondering if anyone know if there is an equilivant command on a PIX running 6.3 to do the same or if the perform this type of correction by defualt. I am only able to find this on the routers, nothing either way on the PIX.

Thanks!

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: PIX 6.3 IPSec tunnels and MSS

you probably already found this, but to add my $0.02 to the table. the command is "sysopt connection tcpmss 1370", and the default MSS value for the PIX is 1380. i've only seen this useful in PPPoX VPN issues, unless there is an intermediate link MTU that could also be causing your problem. you might also looking into using "transport" mode in place of "tunnel" mode (default) in your ipsec configs.

/karpenko/

6 REPLIES
Silver

Re: PIX 6.3 IPSec tunnels and MSS

To my knowledge , FragGuard and virtual reassembly is a feature that provides IP fragment protection. This feature performs full reassembly of all ICMP error messages and virtual reassembly of the remaining IP fragments that are routed through the PIX Firewall. Virtual reassembly is currently enabled by default. This feature uses syslog to log any fragment overlapping and small fragment offset anomalies, especially those caused by a teardrop attack.

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a0080172790.html

Silver

Re: PIX 6.3 IPSec tunnels and MSS

There is a sysopt command on the PIX that does this, its set to 1460 by default I think. Do `sh sysopt' all the options are listed there.

Andy

Cisco Employee

Re: PIX 6.3 IPSec tunnels and MSS

you probably already found this, but to add my $0.02 to the table. the command is "sysopt connection tcpmss 1370", and the default MSS value for the PIX is 1380. i've only seen this useful in PPPoX VPN issues, unless there is an intermediate link MTU that could also be causing your problem. you might also looking into using "transport" mode in place of "tunnel" mode (default) in your ipsec configs.

/karpenko/

New Member

Re: PIX 6.3 IPSec tunnels and MSS

Hey thanks for helping us out.

Signed,

Goatboy

New Member

Re: PIX 6.3 IPSec tunnels and MSS

sysopt connection tcpmss

The default is 1380.

Good luck - Scott

New Member

Re: PIX 6.3 IPSec tunnels and MSS

Hi,

You can use sysopt connection tcpmss command.

Please rate if you find this useful

-Rakesh

599
Views
10
Helpful
6
Replies
CreatePlease login to create content