Cisco ASA - What is the 'MSS Exceeded' ASP Feature ?
PIX or ASA running 7.0 later introduce a security feature in which any packets containing an MSS larger then the announced size during the 3 way handshake will be dropped.
During the 3 way hand shake both sides announce their MSS (Maximum Segment Size). The MSS is the largest TCP payload that the host can accept (normally MTU minus 40bytes (IP and TCP header).
Once each side announces its MSS either end should send packets containing an MSS no larger then the smallest MSS value announced within the 3 way handshake.
Note : Not all web servers adhere to this and can send packets containing an MSS larger then what the client can accept, which can cause buffer overruns and fragmentation issues. PIX/ASA 7.0 (and higher) by default can block such behavior.
Confirm blocked Traffic
To confirm that your firewall is blocking this traffic you can,
- Search the logs for "MSS Exceeded"
- Run the command 'sh asp drop'
Disable/Enable MSS exceed
To disable this feature and to allow traffic that exceeds that of the MSS announced, you will need to use the following syntax
(config)# access-list MSS_Exceeded_ACL permit tcp any any (config)# class-map MSS_Exceeded_MAP
(config-cmap)# match access-list MSS_Exceeded_ACL
(config)# tcp-map mss-map
(config-tcp-map)# exceed-mss allow
(config)# policy-map global_policy
(config-pmap)# class MSS_Exceeded_MAP
(config-pmap-c)# set connection advanced-options mss-map
Please note that the above syntax enables 'MSS exceeded' globally.
You can confirm that you have enabled this feature by running the command sh run all tcp-map