Cisco Pix and MSS Question

Jeff Kell jeff-kell at
Fri Dec 22 23:28:30 UTC 2006

joej wrote:
> I have a client that is running a web server (Sun One) that cannot
> be accessed by various folks. This just started happening about 2 months
> ago. What I have found is that the users being affected are behind a
> Cisco Pix that was recently upgraded to 7.0.1 Apparently, according to
> Cisco's website ( )
> the MSS value is being incorrectly sent by the web server. When
> this happens of course the site appears in accessible. My question
> is what is the correct fix to this from the servers configuration?

7.x by default will drop any packets that exceed the advertised MSS.

If you can push onward to 7.2 there's an ADSM "checkbox" to change that

Prior to that there is a page in there somewhere that describes doing a
service policy map for all tcp connections and allow the MSS exception. 
(I don't have it right off the top of my head, but recall seeing this

There's a specific syslog message related to dropping packets that
exceed the MSS.

Ahh... bless google.

It's rather long winded (Cisco insisting that exceeding MSS is broken,
while there are a fair number of sites that are "broken" by those
standards) since they are suggesting you track down and validate the
"broken" sites and make specific exceptions, but you can also set the
access list to 'any any'.


More information about the NANOG mailing list