About the TCP MSS

The TCP maximum segment size (MSS) is the size of the TCP payload before any TCP and IP headers are added. UDP packets are not affected. The client and the server exchange TCP MSS values during the three-way handshake when establishing the connection.

You can set the TCP MSS on the ASA for through traffic; by default, the maximum TCP MSS is set to 1380 bytes. This setting is useful when the ASA needs to add to the size of the packet for IPsec VPN encapsulation. However, for non-IPsec endpoints, you should disable the maximum TCP MSS on the ASA.

If you set a maximum TCP MSS, if either endpoint of a connection requests a TCP MSS that is larger than the value set on the ASA, then the ASA overwrites the TCP MSS in the request packet with the ASA maximum. If the host or server does not request a TCP MSS, then the ASA assumes the RFC 793-default value of 536 bytes (IPv4) or 1220 bytes (IPv6), but does not modify the packet. For example, you leave the default MTU as 1500 bytes. A host requests an MSS of 1500 minus the TCP and IP header length, which sets the MSS to 1460. If the ASA maximum TCP MSS is 1380 (the default), then the ASA changes the MSS value in the TCP request packet to 1380. The server then sends packets with 1380-byte payloads. The ASA can then add up to 120 bytes of headers to the packet and still fit in the MTU size of 1500.

You can also configure the minimum TCP MSS; if a host or server requests a very small TCP MSS, the ASA can adjust the value up. By default, the minimum TCP MSS is not enabled.

For to-the-box traffic, including for SSL VPN connections, this setting does not apply. The ASA uses the MTU to derive the TCP MSS: MTU - 40 (IPv4) or MTU - 60 (IPv6).

Default TCP MSS

By default, the maximum TCP MSS on the ASA is 1380 bytes. This default accommodates IPv4 IPsec VPN connections where the headers can equal up to 120 bytes; this value fits within the default MTU of 1500 bytes.

Suggested Maximum TCP MSS Setting

The default TCP MSS assumes the ASA acts as an IPv4 IPsec VPN endpoint and has an MTU of 1500. When the ASA acts as an IPv4 IPsec VPN endpoint, it needs to accommodate up to 120 bytes for TCP and IP headers.

If you change the MTU value, use IPv6, or do not use the ASA as an IPsec VPN endpoint, then you should change the TCP MSS setting. See the following guidelines:

  • Normal traffic—Disable the TCP MSS limit and accept the value established between connection endpoints. Because connection endpoints typically derive the TCP MSS from the MTU, non-IPsec packets usually fit this TCP MSS.

  • IPv4 IPsec endpoint traffic—Set the maximum TCP MSS to the MTU - 120. For example, if you use jumbo frames and set the MTU to 9000, then you need to set the TCP MSS to 8880 to take advantage of the new MTU.

  • IPv6 IPsec endpoint traffic—Set the maximum TCP MSS to the MTU - 140.

Procedure

Step 1

Set the MTU between 300 and 9198 bytes (9000 for the ASAv and the Firepower 9300 chassis):

mtu interface_name bytes

Example:



ciscoasa(config)# mtu inside 9000

The default is 1500 bytes.

Note 

When you set the MTU for a redundant or port-channel interface, the ASA applies the setting to all member interfaces.

For many models that support jumbo frames, if you enter a value for any interface that is greater than 1500, then you need to enable jumbo frame support. See Enable Jumbo Frame Support.

Note 

If you use VLAN tagging, the maximum value for the ASA 5585-X and Firepower 9300 chassis is reduced by 4 bytes: 9194 for the ASA 5585-X and 8996 for the Firepower 9300 chassis. Even if the ASA lets you set the MTU to a value of 9195-9198, the actual payload size will be 9194.
Step 2

Set the maximum TCP segment size in bytes, between 48 and any maximum number:

sysopt connection tcpmss [minimum ] bytes

Example:



ciscoasa(config)# sysopt connection tcpmss 8500

ciscoasa(config)# sysopt connection tcpmss minimum 1290

The default value is 1380 bytes. You can disable this feature by setting bytes to 0.

For the minimum keyword, sets the maximum segment size to be no less than bytes, between 48 and 65535. The minimum feature is disabled by default (set to 0).
Step 3

For ASA Cluster settings, see Configure Interfaces on the Master Unit.

Examples

The following example enables jumbo frames, increases the MTU on all interfaces, and disables the TCP MSS for non-VPN traffic (by setting the TCP MSS to 0, which means there is no limit):



jumbo frame-reservation

mtu inside 9198

mtu outside 9198

sysopt connection tcpmss 0

The following example enables jumbo frames, increases the MTU on all interfaces, and changes the TCP MSS for VPN traffic to 9078 (the MTU minus 120):



jumbo frame-reservation

mtu inside 9198

mtu outside 9198

sysopt connection tcpmss 9078

关于ASA的TCP MSS的更多相关文章

  1. 在linux内核中修改TCP MSS值

    MTU: Maxitum Transmission Unit 最大传输单元 MSS: Maxitum Segment Size 最大分段大小 MSS最大传输大小的缩写,是TCP协议里面的一个概念.MS ...

  2. Linux内核TCP MSS机制详细分析

    前言 上周Linux内核修复了4个CVE漏洞[1],其中的CVE-2019-11477感觉是一个很厉害的Dos漏洞,不过因为有其他事打断,所以进展的速度比较慢,这期间网上已经有相关的分析文章了.[2] ...

  3. TCP 协议中MSS的理解

    在介绍MSS之前我们必须要理解下面的几个重要的概念.MTU: Maxitum Transmission Unit 最大传输单元MSS: Maxitum Segment Size 最大分段大小PPPoE ...

  4. tcp协议中mss的理解

    在介绍MSS之前我们必须要理解下面的几个重要的概念.<blockquote>MTU: Maxitum Transmission Unit 最大传输单元MSS: Maxitum Segmen ...

  5. (转)小议TCP的MSS(最大分段)以及MTU

    [前言]漫漫51长假,没有好的去处,只能每日上网消遣,某日逛到NBO灌水,见一帖曰:无法通过2514路由器上MSN(出口为ADSL线路,通过PPPoE)吾心想,ADSL---PPPoE,那肯定就是MT ...

  6. MTU & MSS 详解记录(转)

              先学习理解一下帧的封装格式:   需要注意的是,区别两种帧封装格式:802标准帧和以太网帧 1,在802标准定义的帧格式中,长度字段是指它后续数据的字节长度,但不包括C R C检验 ...

  7. High Performance Browser Networking - TCP UDP TLS

    延迟 定义和标准延迟 延迟简单地说,它是一种转移或信息包从起点到终点,所花费的时间. 延迟=发送延迟+传播延迟+处理延迟+排队延迟: Propagation delay 传播时延 传播时延这个概念.是 ...

  8. 网络-05-端口号-F5-负载均衡设-linux端口详解大全--TCP注册端口号大全备

    [root@test1:Standby] config # [root@test1:Standby] config # [root@test1:Standby] config # [root@test ...

  9. (转)MTU&MSS

    MTU是Maximum Transmission Unit的缩写,意为最大传输单元,通俗的理解就是在网络上传送的最大数据包,单位是字节. 以太网对数据帧的长度都有一个限制,其最大值为1500,这个特性 ...

随机推荐

  1. [刷题] Leetcode算法 (2020-2-27)

    1.最后一个单词的长度(很简单) 题目: 给定一个仅包含大小写字母和空格 ' ' 的字符串 s,返回其最后一个单词的长度. 如果字符串从左向右滚动显示,那么最后一个单词就是最后出现的单词. 如果不存在 ...

  2. swagger2 常用注解的使用

    一.@Api 效果: @Api注解放在类上面,这里的value是没用的,tags表示该controller的介绍. 二 .@ApiOperation 效果: @ApiOperation注解用于放在方法 ...

  3. Python求1000以内所有3或5的倍数的和。

    a=0 for n in range(1,1000): if n%3==0 or n%5==0: a=a+n print(a) 运行结果: 233168

  4. 【代码总结】Struts2 Action接受参数方式的对比

    一.属性方式 1.Action中:对应表单参数的setter.getter 2.页面中  :Form中元素name取值属性名 <s:property value="属性名" ...

  5. [lua]紫猫lua教程-命令宝典-L1-01-05. if判断结构

    L1[if]01. 简单的if判断结构 没什么说得 if得基本结构如下 xxx= ) then testlib.traceprint("1-100") ) then testlib ...

  6. 其他 - markdown 常用语法

    1. 概述 简述 markdown 相关的标记 2. markdown markdown 概述 简单的标记语言 用作快速排版 使用 使用标记对文章样式进行描述 通过专门的引擎读取, 可以展示简单的样式 ...

  7. Python turtle库详解

    Python turtle库详解 Turtle库是Python语言中一个很流行的绘制图像的函数库,想象一个小乌龟,在一个横轴为x.纵轴为y的坐标系原点,(0,0)位置开始,它根据一组函数指令的控制,在 ...

  8. ASP.NET Core搭建多层网站架构【0-前言】

    2020/01/26, ASP.NET Core 3.1, VS2019 摘要:基于ASP.NET Core 3.1 WebApi搭建后端多层网站架构 目录 0-前言 1-项目结构分层建立 2-公共基 ...

  9. Spring5 of WebClient(转载)

    前言 Spring5带来了新的响应式web开发框架WebFlux,同时,也引入了新的HttpClient框架WebClient.WebClient是Spring5中引入的执行 HTTP 请求的非阻塞. ...

  10. 激活windows系统

    1.下载KMS 2.如图所示,双击KMSpico看是否正常运行 3.双击KMSpico正常后出现以下界面 4.点击红色按钮 5.等自动退出就是激活成功,大概半年需要激活一次