Cisco Pix and MSS Question
Happy holidays all. I hope this isn't too off topic, but am puzzled on how to proceed. I have a client that is running a web server (Sun One) that cannot be accessed by various folks. This just started happening about 2 months ago. What I have found is that the users being affected are behind a Cisco Pix that was recently upgraded to 7.0.1 Apparently, according to Cisco's website (http://www.cisco.com/warp/public/110/pix-asa-70-browse.pdf ) the MSS value is being incorrectly sent by the web server. When this happens of course the site appears in accessible. My question is what is the correct fix to this from the servers configuration? Or should I be setting MTUs below the standard to try and correct this? Sorry if this has been discussed previously, I hadn't seen it. Thanks very much, in advance -Joe Blanchard
joej wrote:
I have a client that is running a web server (Sun One) that cannot be accessed by various folks. This just started happening about 2 months ago. What I have found is that the users being affected are behind a Cisco Pix that was recently upgraded to 7.0.1 Apparently, according to Cisco's website (http://www.cisco.com/warp/public/110/pix-asa-70-browse.pdf ) the MSS value is being incorrectly sent by the web server. When this happens of course the site appears in accessible. My question is what is the correct fix to this from the servers configuration?
7.x by default will drop any packets that exceed the advertised MSS. If you can push onward to 7.2 there's an ADSM "checkbox" to change that behavior. Prior to that there is a page in there somewhere that describes doing a service policy map for all tcp connections and allow the MSS exception. (I don't have it right off the top of my head, but recall seeing this before). There's a specific syslog message related to dropping packets that exceed the MSS. Ahh... bless google. http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note0918... It's rather long winded (Cisco insisting that exceeding MSS is broken, while there are a fair number of sites that are "broken" by those standards) since they are suggesting you track down and validate the "broken" sites and make specific exceptions, but you can also set the access list to 'any any'. Jeff
participants (2)
-
Jeff Kell
-
joej