Happy holidays all.
I hope this isn't too off topic, but am puzzled on how to proceed.
I have a client that is running a web server (Sun One) that cannot
be accessed by various folks. This just started happening about 2 months
ago. What I have found is that the users being affected are behind a
Cisco Pix that was recently upgraded to 7.0.1 Apparently, according to
Cisco's website (http://www.cisco.com/warp/public/110/pix-asa-70-browse.pdf )
the MSS value is being incorrectly sent by the web server. When
this happens of course the site appears in accessible. My question
is what is the correct fix to this from the servers configuration?
Or should I be setting MTUs below the standard to try and correct this?
Sorry if this has been discussed previously, I hadn't seen it.
I have a client that is running a web server (Sun One) that cannot
be accessed by various folks. This just started happening about 2 months
ago. What I have found is that the users being affected are behind a
Cisco Pix that was recently upgraded to 7.0.1 Apparently, according to
Cisco's website (Networking, Cloud, and Cybersecurity Solutions - Cisco )
the MSS value is being incorrectly sent by the web server. When
this happens of course the site appears in accessible. My question
is what is the correct fix to this from the servers configuration?
7.x by default will drop any packets that exceed the advertised MSS.
If you can push onward to 7.2 there's an ADSM "checkbox" to change that
behavior.
Prior to that there is a page in there somewhere that describes doing a
service policy map for all tcp connections and allow the MSS exception.
(I don't have it right off the top of my head, but recall seeing this
before).
There's a specific syslog message related to dropping packets that
exceed the MSS.
Ahh... bless google.
It's rather long winded (Cisco insisting that exceeding MSS is broken,
while there are a fair number of sites that are "broken" by those
standards) since they are suggesting you track down and validate the
"broken" sites and make specific exceptions, but you can also set the
access list to 'any any'.