Cisco ASA – What is the ‘MSS Exceeded’ ASP Feature ?


PIX or ASA running 7.0 later introduce a security feature in which any packets containing an MSS larger then the announced size during the 3 way handshake will be dropped.
During the 3 way hand shake both sides announce their MSS (Maximum Segment Size). The MSS is the largest TCP payload that the host can accept (normally MTU minus 40bytes (IP and TCP header).
Once each side announces its MSS either end should send packets containing an MSS no larger then the smallest MSS value announced within the 3 way handshake.

Note : Not all web servers adhere to this and can send packets containing an MSS larger then what the client can accept, which can cause buffer overruns and fragmentation issues. PIX/ASA 7.0 (and higher) by default can block such behavior.

Confirm blocked Traffic

To confirm that your firewall is blocking this traffic you can,

  1. Search the logs for “MSS Exceeded”
  2. Run the commandsh asp drop’

Disable/Enable MSS exceed

To disable this feature and to allow traffic that exceeds that of the MSS announced, you will need to use the following syntax

(config)# access-list MSS_Exceeded_ACL permit tcp any any (config)# class-map MSS_Exceeded_MAP
(config-cmap)# match access-list MSS_Exceeded_ACL
(config-cmap)# exit
(config)# tcp-map mss-map
(config-tcp-map)# exceed-mss allow
(config-tcp-map)# exit
(config)# policy-map global_policy
(config-pmap)# class MSS_Exceeded_MAP
(config-pmap-c)# set connection advanced-options mss-map
(config-pmap-c)# end

Please note that the above syntax enables ‘MSS exceeded’ globally.
You can confirm that you have enabled this feature by running the command sh run all tcp-map

Rick Donato

Want to become an IT Security expert?

Here is our hand-picked selection of the best courses you can find online:
Internet Security Deep Dive course
Complete Cyber Security Course – Hackers Exposed
CompTIA Security+ (SY0-601) Certification Complete course
and our recommended certification practice exams:
AlphaPrep Practice Tests - Free Trial