About the TCP MSS

The TCP maximum segment size (MSS) is the size of the TCP payload before any TCP and IP headers are added. UDP packets are not affected. The client and the server exchange TCP MSS values during the three-way handshake when establishing the connection.

You can set the TCP MSS on the ASA for through traffic; by default, the maximum TCP MSS is set to 1380 bytes. This setting is useful when the ASA needs to add to the size of the packet for IPsec VPN encapsulation. However, for non-IPsec endpoints, you should disable the maximum TCP MSS on the ASA.

If you set a maximum TCP MSS, if either endpoint of a connection requests a TCP MSS that is larger than the value set on the ASA, then the ASA overwrites the TCP MSS in the request packet with the ASA maximum. If the host or server does not request a TCP MSS, then the ASA assumes the RFC 793-default value of 536 bytes (IPv4) or 1220 bytes (IPv6), but does not modify the packet. For example, you leave the default MTU as 1500 bytes. A host requests an MSS of 1500 minus the TCP and IP header length, which sets the MSS to 1460. If the ASA maximum TCP MSS is 1380 (the default), then the ASA changes the MSS value in the TCP request packet to 1380. The server then sends packets with 1380-byte payloads. The ASA can then add up to 120 bytes of headers to the packet and still fit in the MTU size of 1500.

You can also configure the minimum TCP MSS; if a host or server requests a very small TCP MSS, the ASA can adjust the value up. By default, the minimum TCP MSS is not enabled.

For to-the-box traffic, including for SSL VPN connections, this setting does not apply. The ASA uses the MTU to derive the TCP MSS: MTU - 40 (IPv4) or MTU - 60 (IPv6).

Default TCP MSS

By default, the maximum TCP MSS on the ASA is 1380 bytes. This default accommodates IPv4 IPsec VPN connections where the headers can equal up to 120 bytes; this value fits within the default MTU of 1500 bytes.

Suggested Maximum TCP MSS Setting

The default TCP MSS assumes the ASA acts as an IPv4 IPsec VPN endpoint and has an MTU of 1500. When the ASA acts as an IPv4 IPsec VPN endpoint, it needs to accommodate up to 120 bytes for TCP and IP headers.

If you change the MTU value, use IPv6, or do not use the ASA as an IPsec VPN endpoint, then you should change the TCP MSS setting. See the following guidelines:

  • Normal traffic—Disable the TCP MSS limit and accept the value established between connection endpoints. Because connection endpoints typically derive the TCP MSS from the MTU, non-IPsec packets usually fit this TCP MSS.

  • IPv4 IPsec endpoint traffic—Set the maximum TCP MSS to the MTU - 120. For example, if you use jumbo frames and set the MTU to 9000, then you need to set the TCP MSS to 8880 to take advantage of the new MTU.

  • IPv6 IPsec endpoint traffic—Set the maximum TCP MSS to the MTU - 140.

Procedure

Step 1

Set the MTU between 300 and 9198 bytes (9000 for the ASAv and the Firepower 9300 chassis):

mtu interface_name bytes

Example:



ciscoasa(config)# mtu inside 9000

The default is 1500 bytes.

Note 

When you set the MTU for a redundant or port-channel interface, the ASA applies the setting to all member interfaces.

For many models that support jumbo frames, if you enter a value for any interface that is greater than 1500, then you need to enable jumbo frame support. See Enable Jumbo Frame Support.

Note 

If you use VLAN tagging, the maximum value for the ASA 5585-X and Firepower 9300 chassis is reduced by 4 bytes: 9194 for the ASA 5585-X and 8996 for the Firepower 9300 chassis. Even if the ASA lets you set the MTU to a value of 9195-9198, the actual payload size will be 9194.
Step 2

Set the maximum TCP segment size in bytes, between 48 and any maximum number:

sysopt connection tcpmss [minimum ] bytes

Example:



ciscoasa(config)# sysopt connection tcpmss 8500

ciscoasa(config)# sysopt connection tcpmss minimum 1290

The default value is 1380 bytes. You can disable this feature by setting bytes to 0.

For the minimum keyword, sets the maximum segment size to be no less than bytes, between 48 and 65535. The minimum feature is disabled by default (set to 0).
Step 3

For ASA Cluster settings, see Configure Interfaces on the Master Unit.

Examples

The following example enables jumbo frames, increases the MTU on all interfaces, and disables the TCP MSS for non-VPN traffic (by setting the TCP MSS to 0, which means there is no limit):



jumbo frame-reservation

mtu inside 9198

mtu outside 9198

sysopt connection tcpmss 0

The following example enables jumbo frames, increases the MTU on all interfaces, and changes the TCP MSS for VPN traffic to 9078 (the MTU minus 120):



jumbo frame-reservation

mtu inside 9198

mtu outside 9198

sysopt connection tcpmss 9078

关于ASA的TCP MSS的更多相关文章

  1. 在linux内核中修改TCP MSS值

    MTU: Maxitum Transmission Unit 最大传输单元 MSS: Maxitum Segment Size 最大分段大小 MSS最大传输大小的缩写,是TCP协议里面的一个概念.MS ...

  2. Linux内核TCP MSS机制详细分析

    前言 上周Linux内核修复了4个CVE漏洞[1],其中的CVE-2019-11477感觉是一个很厉害的Dos漏洞,不过因为有其他事打断,所以进展的速度比较慢,这期间网上已经有相关的分析文章了.[2] ...

  3. TCP 协议中MSS的理解

    在介绍MSS之前我们必须要理解下面的几个重要的概念.MTU: Maxitum Transmission Unit 最大传输单元MSS: Maxitum Segment Size 最大分段大小PPPoE ...

  4. tcp协议中mss的理解

    在介绍MSS之前我们必须要理解下面的几个重要的概念.<blockquote>MTU: Maxitum Transmission Unit 最大传输单元MSS: Maxitum Segmen ...

  5. (转)小议TCP的MSS(最大分段)以及MTU

    [前言]漫漫51长假,没有好的去处,只能每日上网消遣,某日逛到NBO灌水,见一帖曰:无法通过2514路由器上MSN(出口为ADSL线路,通过PPPoE)吾心想,ADSL---PPPoE,那肯定就是MT ...

  6. MTU & MSS 详解记录(转)

              先学习理解一下帧的封装格式:   需要注意的是,区别两种帧封装格式:802标准帧和以太网帧 1,在802标准定义的帧格式中,长度字段是指它后续数据的字节长度,但不包括C R C检验 ...

  7. High Performance Browser Networking - TCP UDP TLS

    延迟 定义和标准延迟 延迟简单地说,它是一种转移或信息包从起点到终点,所花费的时间. 延迟=发送延迟+传播延迟+处理延迟+排队延迟: Propagation delay 传播时延 传播时延这个概念.是 ...

  8. 网络-05-端口号-F5-负载均衡设-linux端口详解大全--TCP注册端口号大全备

    [root@test1:Standby] config # [root@test1:Standby] config # [root@test1:Standby] config # [root@test ...

  9. (转)MTU&MSS

    MTU是Maximum Transmission Unit的缩写,意为最大传输单元,通俗的理解就是在网络上传送的最大数据包,单位是字节. 以太网对数据帧的长度都有一个限制,其最大值为1500,这个特性 ...

随机推荐

  1. Go_Context

    如何通知子goroutine退出? 1. 使用全局变量 package main import ( "fmt" "sync" "time" ...

  2. AC3 bit allocation

    1.bit allocation overview bit allocation通过分析audio 信号的频谱envelop,使用masking effect来确定使用多少bit来表示频率系数的man ...

  3. Redis 配置文件杂项。

    protected-mode -----------------保护模式 redis3.2版本后新增protected-mode配置,默认是yes,即开启.设置外部网络连接redis服务,设置方式如下 ...

  4. 如何预测股票分析--k-近邻

    在上一篇中,我们学习了线性回归,这一次来看看k近邻的表现 K最近邻(k-Nearest Neighbor,KNN)分类算法,是一个理论上比较成熟的方法,也是最简单的机器学习算法之一.该方法的思路是:在 ...

  5. main函数的参数详解

    1.定义 C语言规定main函数的参数只能有两个,习惯上这两个参数写为argc和argv.因此,main函数的函数头可写为: main (argc,argv)C语言还规定argc(第一个形参)必须是整 ...

  6. 自定义虚拟机MAC地址 | 它与 VMware 预留的 MAC 冲突 解法

    https://blog.csdn.net/wangrui1573/article/details/82056020 问题:我想给VMware ESXi上的一台虚拟机分配一个静态的MAC地址.然而当我 ...

  7. 关于Spring+mybatis使用@Transactional注解事物没有生效的问题

    控制台日志信息: was not registered for synchronization because synchronization is not active JDBC Connectio ...

  8. 数据库程序接口——JDBC——功能第四篇——事务之Spring事务

    综述 事务的实现方式有三种,JTA,Spring事务,Web Container方式.本篇讲述Spring事务. Spring事务分为两个部分核心对象,Spring事务的实现方式. Spring事务实 ...

  9. 使用ltp4j碰到Can't find dependent libraries报错信息的问题解决

    项目中使用了哈工大的自然语言处理模块ltp4j,使用idea工具集成到项目中之后,在本机运行没有问题,一切正常.打成war包,部署到服务器上,使用的时候报错Can't find dependent l ...

  10. 关于宽搜BFS广度优先搜索的那点事

    以前一直知道深搜是一个递归栈,广搜是队列,FIFO先进先出LILO后进后出啥的.DFS是以深度作为第一关键词,即当碰到岔道口时总是先选择其中的一条岔路前进,而不管其他岔路,直到碰到死胡同时才返回岔道口 ...