Popular
Latest Articles
- Checkpoint Web Visualization only provides part of the policy
- Running a packet capture on a SourceFire Sensor
- File download fails through Netscreen when using IE6 with Passive FTP
- I am unable to clear the VPN SA`s using the vpn tu command
- encryption failure: According to the policy the packet should not have been decrypted
ASA - MSS Exceeded
Background
PIX or ASA running 7.0 later introduce a security feature in which any packets containing an MSS larger then the announced size during the 3 way handshake will be dropped.
During the 3 way hand shake both sides announce their MSS (Maximum Segment Size). The MSS is the largest TCP payload that the host can accept (normally MTU minus 40).
Once each side announces its MSS either end should send packets containing an MSS no larger then that announced within the 3 way handshake.
Not all web servers adhere to this and can send packets containing an MSS larger then what the client can accept, which can cause buffer overruns and fragmentation issues. PIX/ASA 7.0 (and higher) by default block such behavior.
Confirm traffic is being blocked
To confirm that your firewall is blocking this traffic you can,
- Search the logs for "MSS Exceeded"
- Run the command sh asp drop
To disable this feature and to allow traffic that exceeds that of the MSS announced, you will need to use the following syntax,
(config)# access-list MSS_Exceeded_ACL permit tcp any any
(config)# class-map MSS_Exceeded_MAP
(config-cmap)# match access-list MSS_Exceeded_ACL
(config-cmap)# exit
(config)# tcp-map mss-map
(config-tcp-map)# exceed-mss allow
(config-tcp-map)# exit
(config)# policy-map global_policy
(config-pmap)# class MSS_Exceeded_MAP
(config-pmap-c)# set connection advanced-options mss-map
(config-pmap-c)# end
Please note that the above syntax enables "MSS exceeded" globally.
You can confirm that you have enabled this feature by running the command sh run all tcp-map