Cisco ASA - What is the 'MSS Exceeded' ASP Feature ?


PIX or ASA running 7.0 later introduce a security feature in which any packets containing an MSS larger then the announced size during the 3 way handshake will be dropped.
During the 3 way hand shake both sides announce their MSS (Maximum Segment Size). The MSS is the largest TCP payload that the host can accept (normally MTU minus 40bytes (IP and TCP header).
Once each side announces its MSS either end should send packets containing an MSS no larger then the smallest MSS value announced within the 3 way handshake.

Note : Not all web servers adhere to this and can send packets containing an MSS larger then what the client can accept, which can cause buffer overruns and fragmentation issues. PIX/ASA 7.0 (and higher) by default can block such behavior.

Confirm blocked Traffic

To confirm that your firewall is blocking this traffic you can,

  1. Search the logs for "MSS Exceeded"
  2. Run the command 'sh asp drop'

Disable/Enable MSS exceed

To disable this feature and to allow traffic that exceeds that of the MSS announced, you will need to use the following syntax

(config)# access-list MSS_Exceeded_ACL permit tcp any any
(config)# class-map MSS_Exceeded_MAP
(config-cmap)# match access-list MSS_Exceeded_ACL
(config-cmap)# exit
(config)# tcp-map mss-map
(config-tcp-map)# exceed-mss allow
(config-tcp-map)# exit
(config)# policy-map global_policy
(config-pmap)# class MSS_Exceeded_MAP
(config-pmap-c)# set connection advanced-options mss-map
(config-pmap-c)# end

Please note that the above syntax enables 'MSS exceeded' globally.
You can confirm that you have enabled this feature by running the command sh run all tcp-map

Tags: ASA

About the Author


R Donato

Rick Donato is the Founder and Chief Editor of He currently works as a Principal Network Security Engineer and has a keen interest in automation and the cloud.

You can find Rick on Twitter @f3lix001