asa-70-mss exceeded新.pdfVIP

PIX/ASA 7.0 Issue: MSS Exceeded − HTTP Clients Cannot Browse to Some Web Sites Document ID: 65436 Contents Introduction Prerequisites Requirements Components Used Related Products Conventions Configure Network Diagram PIX Security Appliance 7.0 Configuration Troubleshoot Workaround Verify Related Information Introduction This document addresses the problem when some websites are not accessible through a PIX or Adaptive Security Appliance (ASA) that runs 7.0 or later code. The 7.0 release introduces several new security enhancements, one of which is a check for TCP endpoints which adhere to the advertised Maximum Segment Size (MSS). In a normal TCP session, the client sends a SYN packet to the server, with the MSS included within the TCP options of the SYN packet. The server, upon receipt of the SYN packet, should recognize the MSS value sent by the client and then send its own MSS value in the SYN−ACK packet. Once both the client and the server are aware of each others MSS, neither peer should send a packet to the other that is greater than that peers MSS. A discovery has been made that there are a few HTTP servers on the Internet that do not honor the MSS that the client advertises. Subsequently, the HTTP server sends data packets to the client that are larger than the advertised MSS. Before release 7.0, these packets were allowed through the PIX Security Appliance. With the security enhancement included in the 7.0 software release, these packets are dropped by default. This document is designed to assist the PIX/ASA Security Appliance administrator in the diagnosis of this problem and the implementation of a workaround to allow the packets that exceed the MSS. Prerequisites Requirements There are no specific requirements for this document. Components Used The information in this document is based on a Cisco PIX 525 Security Appliance that runs 7.0.1 software. The information in this document was created