About the TCP MSS

The TCP maximum segment size (MSS) is the size of the TCP payload before any TCP and IP headers are added. UDP packets are not affected. The client and the server exchange TCP MSS values during the three-way handshake when establishing the connection.

You can set the TCP MSS on the ASA for through traffic; by default, the maximum TCP MSS is set to 1380 bytes. This setting is useful when the ASA needs to add to the size of the packet for IPsec VPN encapsulation. However, for non-IPsec endpoints, you should disable the maximum TCP MSS on the ASA.

If you set a maximum TCP MSS, if either endpoint of a connection requests a TCP MSS that is larger than the value set on the ASA, then the ASA overwrites the TCP MSS in the request packet with the ASA maximum. If the host or server does not request a TCP MSS, then the ASA assumes the RFC 793-default value of 536 bytes (IPv4) or 1220 bytes (IPv6), but does not modify the packet. For example, you leave the default MTU as 1500 bytes. A host requests an MSS of 1500 minus the TCP and IP header length, which sets the MSS to 1460. If the ASA maximum TCP MSS is 1380 (the default), then the ASA changes the MSS value in the TCP request packet to 1380. The server then sends packets with 1380-byte payloads. The ASA can then add up to 120 bytes of headers to the packet and still fit in the MTU size of 1500.

You can also configure the minimum TCP MSS; if a host or server requests a very small TCP MSS, the ASA can adjust the value up. By default, the minimum TCP MSS is not enabled.

For to-the-box traffic, including for SSL VPN connections, this setting does not apply. The ASA uses the MTU to derive the TCP MSS: MTU - 40 (IPv4) or MTU - 60 (IPv6).

Default TCP MSS

By default, the maximum TCP MSS on the ASA is 1380 bytes. This default accommodates IPv4 IPsec VPN connections where the headers can equal up to 120 bytes; this value fits within the default MTU of 1500 bytes.

Suggested Maximum TCP MSS Setting

The default TCP MSS assumes the ASA acts as an IPv4 IPsec VPN endpoint and has an MTU of 1500. When the ASA acts as an IPv4 IPsec VPN endpoint, it needs to accommodate up to 120 bytes for TCP and IP headers.

If you change the MTU value, use IPv6, or do not use the ASA as an IPsec VPN endpoint, then you should change the TCP MSS setting. See the following guidelines:

  • Normal traffic—Disable the TCP MSS limit and accept the value established between connection endpoints. Because connection endpoints typically derive the TCP MSS from the MTU, non-IPsec packets usually fit this TCP MSS.

  • IPv4 IPsec endpoint traffic—Set the maximum TCP MSS to the MTU - 120. For example, if you use jumbo frames and set the MTU to 9000, then you need to set the TCP MSS to 8880 to take advantage of the new MTU.

  • IPv6 IPsec endpoint traffic—Set the maximum TCP MSS to the MTU - 140.

Procedure

Step 1

Set the MTU between 300 and 9198 bytes (9000 for the ASAv and the Firepower 9300 chassis):

mtu interface_name bytes

Example:


  2. ciscoasa(config)# mtu inside 9000

The default is 1500 bytes.

Note 

When you set the MTU for a redundant or port-channel interface, the ASA applies the setting to all member interfaces.

For many models that support jumbo frames, if you enter a value for any interface that is greater than 1500, then you need to enable jumbo frame support. See Enable Jumbo Frame Support.

Note 

If you use VLAN tagging, the maximum value for the ASA 5585-X and Firepower 9300 chassis is reduced by 4 bytes: 9194 for the ASA 5585-X and 8996 for the Firepower 9300 chassis. Even if the ASA lets you set the MTU to a value of 9195-9198, the actual payload size will be 9194.
Step 2

Set the maximum TCP segment size in bytes, between 48 and any maximum number:

sysopt connection tcpmss [minimum ] bytes

Example:


  2. ciscoasa(config)# sysopt connection tcpmss 8500
  3. ciscoasa(config)# sysopt connection tcpmss minimum 1290

The default value is 1380 bytes. You can disable this feature by setting bytes to 0.

For the minimum keyword, sets the maximum segment size to be no less than bytes, between 48 and 65535. The minimum feature is disabled by default (set to 0).
Step 3

For ASA Cluster settings, see Configure Interfaces on the Master Unit.

Examples

The following example enables jumbo frames, increases the MTU on all interfaces, and disables the TCP MSS for non-VPN traffic (by setting the TCP MSS to 0, which means there is no limit):


  2. jumbo frame-reservation
  3. mtu inside 9198
  4. mtu outside 9198
  5. sysopt connection tcpmss 0

The following example enables jumbo frames, increases the MTU on all interfaces, and changes the TCP MSS for VPN traffic to 9078 (the MTU minus 120):


  2. jumbo frame-reservation
  3. mtu inside 9198
  4. mtu outside 9198
  5. sysopt connection tcpmss 9078

关于ASA的TCP MSS的更多相关文章

  1. 在linux内核中修改TCP MSS值

    MTU: Maxitum Transmission Unit 最大传输单元 MSS: Maxitum Segment Size 最大分段大小 MSS最大传输大小的缩写,是TCP协议里面的一个概念.MS ...

  2. Linux内核TCP MSS机制详细分析

    前言 上周Linux内核修复了4个CVE漏洞[1],其中的CVE-2019-11477感觉是一个很厉害的Dos漏洞,不过因为有其他事打断,所以进展的速度比较慢,这期间网上已经有相关的分析文章了.[2] ...

  3. TCP 协议中MSS的理解

    在介绍MSS之前我们必须要理解下面的几个重要的概念.MTU: Maxitum Transmission Unit 最大传输单元MSS: Maxitum Segment Size 最大分段大小PPPoE ...

  4. tcp协议中mss的理解

    在介绍MSS之前我们必须要理解下面的几个重要的概念.<blockquote>MTU: Maxitum Transmission Unit 最大传输单元MSS: Maxitum Segmen ...

  5. (转)小议TCP的MSS(最大分段)以及MTU

    [前言]漫漫51长假,没有好的去处,只能每日上网消遣,某日逛到NBO灌水,见一帖曰:无法通过2514路由器上MSN(出口为ADSL线路,通过PPPoE)吾心想,ADSL---PPPoE,那肯定就是MT ...

  6. MTU & MSS 详解记录(转)

              先学习理解一下帧的封装格式:   需要注意的是,区别两种帧封装格式:802标准帧和以太网帧 1,在802标准定义的帧格式中,长度字段是指它后续数据的字节长度,但不包括C R C检验 ...

  7. High Performance Browser Networking - TCP UDP TLS

    延迟 定义和标准延迟 延迟简单地说,它是一种转移或信息包从起点到终点,所花费的时间. 延迟=发送延迟+传播延迟+处理延迟+排队延迟: Propagation delay 传播时延 传播时延这个概念.是 ...

  8. 网络-05-端口号-F5-负载均衡设-linux端口详解大全--TCP注册端口号大全备

    [root@test1:Standby] config # [root@test1:Standby] config # [root@test1:Standby] config # [root@test ...

  9. (转)MTU&MSS

    MTU是Maximum Transmission Unit的缩写,意为最大传输单元,通俗的理解就是在网络上传送的最大数据包,单位是字节. 以太网对数据帧的长度都有一个限制,其最大值为1500,这个特性 ...

随机推荐

  1. selenium选择框

    自动化测试中,会遇到选择框,针对该类元素,selenium提供类Select类来处理,使用select类先导入:from selenium.webdriver.support.select impor ...

  2. 【C语言】定义一个函数,求长方体的体积

    #include<stdio.h> int volume(int a, int b,int c)/*定义函数*/ { int p; p = a * b * c; return p; } i ...

  3. DockerToolbox安装docker - Windows 10

    Wiindows安装docker 在转换成linux模式的时候不能使用,只能退而求其次安装Docker ToolBox在windows10中使用docker. 一.前言 由于本机使用的是win10家庭 ...

  4. thinkphp的where 之 or的使用

    需要生成 SELECT * FROM `goods` WHERE ( `goodstype_id` = 2 or `goodstype_id` = 3 ) $where['goodstype_id'] ...

  5. git 多人开发解决步骤

    1.pull -- 开发 -- pull -- 解决冲突(如果有) -- commit -- push   (PS 老子今天很烦躁)    

  6. 优化 : Oracle数据库Where条件执行顺序 及Where子句的条件顺序对性能的影响

    .Oracle数据库Where条件执行顺序: 由于SQL优化起来比较复杂,并且还会受环境限制,在开发过程中,写SQL必须必须要遵循以下几点的原则: 1.ORACLE采用自下而上的顺序解析WHERE子句 ...

  7. 概率 dp lightoj 1395

    dp[k]用类似于低配版的这道题的做法求出,如下: 然后就从k逆推到0就好了 #include<bits/stdc++.h> using namespace std; ; double d ...

  8. Flask的基本使用

    最基本的一个Flask模板,实现本地9898端口访问,页面返回hello world from flask import Flask app = Flask(__name__) @app.route( ...

  9. yii2自定义报错页面

    在Yii2版本的advanced高级模板环境中:设置404自定义页面的方法 1.config/main.php文件 'errorHandler' => [ 'errorAction' => ...

  10. JS中constructor属性

    constructor属性用于对当前对象的构造函数的引用.可以用来判断对象的类型: <script> var newStr = new String("One world One ...