[93771] in North American Network Operators' Group
Re: Cisco Pix and MSS Question
daemon@ATHENA.MIT.EDU (Jeff Kell)
Fri Dec 22 18:29:25 2006
Date: Fri, 22 Dec 2006 18:28:30 -0500
From: Jeff Kell <jeff-kell@utc.edu>
To: joej@rocknyou.com
Cc: nanog@nanog.org
In-Reply-To: <dc94f7808f912a822696ce5b03e64f12@rocknyou.com>
Errors-To: owner-nanog@merit.edu
joej wrote:
> I have a client that is running a web server (Sun One) that cannot
> be accessed by various folks. This just started happening about 2 months
> ago. What I have found is that the users being affected are behind a
> Cisco Pix that was recently upgraded to 7.0.1 Apparently, according to
> Cisco's website (http://www.cisco.com/warp/public/110/pix-asa-70-browse.pdf )
> the MSS value is being incorrectly sent by the web server. When
> this happens of course the site appears in accessible. My question
> is what is the correct fix to this from the servers configuration?
7.x by default will drop any packets that exceed the advertised MSS.
If you can push onward to 7.2 there's an ADSM "checkbox" to change that
behavior.
Prior to that there is a page in there somewhere that describes doing a
service policy map for all tcp connections and allow the MSS exception.
(I don't have it right off the top of my head, but recall seeing this
before).
There's a specific syslog message related to dropping packets that
exceed the MSS.
Ahh... bless google.
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00804c8b9f.shtml
It's rather long winded (Cisco insisting that exceeding MSS is broken,
while there are a fair number of sites that are "broken" by those
standards) since they are suggesting you track down and validate the
"broken" sites and make specific exceptions, but you can also set the
access list to 'any any'.
Jeff
