<?xml version="1.0" encoding="UTF-8"?><rss version="2.0"
	xmlns:content="http://purl.org/rss/1.0/modules/content/"
	xmlns:wfw="http://wellformedweb.org/CommentAPI/"
	xmlns:dc="http://purl.org/dc/elements/1.1/"
	xmlns:atom="http://www.w3.org/2005/Atom"
	xmlns:sy="http://purl.org/rss/1.0/modules/syndication/"
	xmlns:slash="http://purl.org/rss/1.0/modules/slash/"
	>

<channel>
	<title>Networking Reviews</title>
	<atom:link href="https://www.networkingreviews.com/tag/ftp-asa/feed/" rel="self" type="application/rss+xml" />
	<link>https://www.networkingreviews.com</link>
	<description></description>
	<lastBuildDate>Fri, 29 Feb 2008 21:19:22 +0000</lastBuildDate>
	<language>en-US</language>
	<sy:updatePeriod>
	hourly	</sy:updatePeriod>
	<sy:updateFrequency>
	1	</sy:updateFrequency>
	<generator>https://wordpress.org/?v=6.9.1</generator>
	<item>
		<title>FTP Disconnects Through Cisco ASA Firewall. MSS Exceeded Problem.</title>
		<link>https://www.networkingreviews.com/ftp-disconnects-through-cisco-asa-firewall-mss-exceeded-problem/</link>
					<comments>https://www.networkingreviews.com/ftp-disconnects-through-cisco-asa-firewall-mss-exceeded-problem/#respond</comments>
		
		<dc:creator><![CDATA[Admin]]></dc:creator>
		<pubDate>Fri, 29 Feb 2008 21:19:22 +0000</pubDate>
				<category><![CDATA[Troubleshooting]]></category>
		<category><![CDATA[ftp asa]]></category>
		<category><![CDATA[ftp cisco firewall]]></category>
		<category><![CDATA[ftp pix asa firewall]]></category>
		<guid isPermaLink="false">https://www.networkingreviews.com/blog/2008/02/29/ftp-disconnects-through-cisco-asa-firewall-mss-exceeded-problem/</guid>

					<description><![CDATA[Each TCP device on a network has an associated &#8216;ceiling&#8217; on TCP Data Size, called the MSS (Maximum Segment Size). The TCP MSS is negotiated between two communicating devices via the TCP SYN and SYN-ACK packets. After this negotiation, each TCP device must comply with the advertised MSS of the peer device, and should not [&#8230;]]]></description>
										<content:encoded><![CDATA[<p>Each TCP device on a network has an associated &#8216;ceiling&#8217; on TCP Data Size, called the MSS (Maximum Segment Size). The TCP MSS is negotiated between two communicating devices via the TCP SYN and SYN-ACK packets. After this negotiation, each TCP device must comply with the advertised MSS of the peer device, and should not send data on the segment that is larger than the advertised MSS of the device to which it is sending.</p>
<p>Unfortunately, there are cases that even if the two TCP endpoints negotiate a certain size of TCP MSS, one of the devices sends data to the other device which is larger than the MSS. With the new version of the Cisco ASA (or PIX) firewall with software version 7.x and up, the above situation is not accepted by the firewall which drops the packets that do not adhere to the negotiated MSS size. The firewall does this to protect the devices from buffer overflow attacks.</p>
<p>The problem addressed here is when an FTP Client located on the INSIDE of a Cisco ASA firewall, can not access an FTP Server machine located on the OUTSIDE of the firewall, as shown on the diagram below. The same problem can also happen with any TCP application (e.g HTTP), not just FTP.</p>
<p align="center"><img fetchpriority="high" decoding="async" src="/images/asa-mss.jpg" alt="ASA MSS Exceeded" width="427" height="148" /></p>
<p><span id="more-13"></span>The initial firewall configuration is as following</p>
<p>pixfirewall(config)#<strong>interface Ethernet0</strong><br />
pixfirewall(config-if)#<strong>speed 100</strong><br />
pixfirewall(config-if)#<strong>duplex full</strong><br />
pixfirewall(config-if)#<strong>nameif outside</strong><br />
pixfirewall(config-if)#<strong>security-level 0</strong><br />
pixfirewall(config-if)#<strong>ip address 192.168.9.30 255.255.255.0</strong><br />
pixfirewall(config-if)#<strong>exit</strong><br />
pixfirewall(config)#<strong>interface Ethernet1</strong><br />
pixfirewall(config-if)#<strong>speed 100</strong><br />
pixfirewall(config-if)#<strong>duplex full</strong><br />
pixfirewall(config-if)#<strong>nameif inside</strong><br />
pixfirewall(config-if)#<strong>security-level 100</strong><br />
pixfirewall(config-if)#<strong>ip address 10.0.0.1 255.255.255.0</strong><br />
pixfirewall(config-if)#<strong>exit</strong><br />
pixfirewall(config)#<strong>global (outside) 1 interface</strong><br />
pixfirewall(config)#<strong>nat (inside) 1 10.0.0.0 255.0.0.0</strong><br />
pixfirewall(config)#<strong>route outside 0.0.0.0 0.0.0.0 192.168.9.2 1</strong></p>
<p>The problem is observed when looking at the logs of the firewall:<br />
<!--adsense--><br />
Show log:</p>
<p><strong>Sep 19 2007 06:55:58: %ASA-4-419001: Dropping TCP packet from INSIDE:10.0.0.2/38003 to OUTSIDE:192.168.9.2/21, reason: MSS exceeded, MSS 1390, data 1460</strong></p>
<p>The log output above shows that the FTP client and server negotiated an MSS value of 1390, but the data sent is 1460, therefore the firewall drops the packet.</p>
<p>There are two solutions for the MSS exceeded problem, one which can be applied globally on the ASA firewall, and one which can be applied for the specific connection only:</p>
<p><strong><span style="text-decoration: underline;">Solution A (Applied Globally on Firewall)</span></strong></p>
<p>There is a global command on the ASA firewall with which you can override the MSS value negotiated between the TCP devices. This command is shown below:</p>
<p>firewall(config)#<strong>sysopt connection tcpmss</strong> [<strong>minimum</strong>]<strong> </strong>bytes</p>
<p>The <strong>[minimum]</strong> keyword overrides the maximum segment size negotiated between the two devices to be no less than <span style="text-decoration: underline;">&#8216;bytes&#8217;</span>. So to solve the problem above, configure the following:</p>
<p>firewall(config)#<strong>sysopt connection tcpmss</strong> <strong>minimum</strong> 1460</p>
<p>This will force the two devices to negotiate an MSS value to be no less than 1460, therefore the data sent can go through with no problems.</p>
<p><strong><span style="text-decoration: underline;">Solution B (Applied on the specific connection only)</span></strong></p>
<p>The second workaround solution uses an access-list, a class map and a tcp-map to identify the specific FTP traffic between the client and the server, and allow the MSS to be exceeded only for this specific connection.</p>
<p>The configuration commands are shown below:</p>
<p>pixfirewall(config)#<strong>access-list ftp-list permit tcp host 10.0.0.2 host 192.168.9.2</strong><br />
pixfirewall(config)#<br />
pixfirewall#<strong>configure terminal</strong><br />
pixfirewall(config)#<br />
pixfirewall(config)#<strong>class-map ftp-map</strong><br />
pixfirewall(config-cmap)#<strong>match access-list ftp-list</strong><br />
pixfirewall(config-cmap)#<strong>exit</strong><br />
pixfirewall(config)#<strong>tcp-map mss-map</strong><br />
pixfirewall(config-tcp-map)#<strong>exceed-mss allow</strong><br />
pixfirewall(config-tcp-map)#<strong>exit</strong><br />
pixfirewall(config)#<strong>policy-map ftp-map</strong><br />
pixfirewall(config-pmap)#<strong>class ftp-map</strong><br />
pixfirewall(config-pmap-c)#<strong>set connection advanced-options mss-map</strong><br />
pixfirewall(config-pmap-c)#<strong>exit</strong><br />
pixfirewall(config-pmap)#<strong>exit</strong><br />
pixfirewall(config)#<strong>service-policy ftp-map interface outside</strong><br />
pixfirewall#</p>
<p>The configuration above will allow the MSS to be exceeded only between the FTP client and FTP server connections.</p>
<p style="text-align: center;"><strong>If you want to learn how to configure and implement any Cisco ASA 5500 v7.x and v8.x Firewall, check out the following excellent Book:</strong></p>
<p style="text-align: center;"><a href="http://www.cisco-tips.com/ciscoasaebook.php" target="_self" rel="noopener"><img decoding="async" src="https://www.networkingreviews.com/images/asaebook/download.jpg" alt="download" width="116" height="111" /></a></p>
<p style="text-align: center;"><a href="http://www.cisco-tips.com/ciscoasaebook.php" target="_self" rel="noopener"><img decoding="async" src="https://www.networkingreviews.com/images/asaebook/Cisco-Firewall-Fundamentals.png" alt="Cisco ASA Firewall eBook" width="330" height="300" /></a></p>
<p><strong><span style="text-decoration: underline;">Whats Included in the eBook</span></strong></p>
<table border="0">
<tbody>
<tr>
<td><img decoding="async" src="https://www.networkingreviews.com/images/asaebook/checkbox.jpg" alt="" /></td>
<td>Getting Started with Cisco Firewalls (User Interface, Access Modes)</td>
</tr>
<tr>
<td><img decoding="async" src="https://www.networkingreviews.com/images/asaebook/checkbox.jpg" alt="" /></td>
<td>File Management</td>
</tr>
<tr>
<td><img decoding="async" src="https://www.networkingreviews.com/images/asaebook/checkbox.jpg" alt="" /></td>
<td>Security Levels (Traffic Flow between Security Levels)</td>
</tr>
<tr>
<td><img decoding="async" src="https://www.networkingreviews.com/images/asaebook/checkbox.jpg" alt="" /></td>
<td>Basic Firewall Configuration (Basic Configuration Steps)</td>
</tr>
<tr>
<td><img decoding="async" src="https://www.networkingreviews.com/images/asaebook/checkbox.jpg" alt="" /></td>
<td>Configuring Network Address Translation (NAT, PAT, Static NAT, Port Redirection)</td>
</tr>
<tr>
<td><img decoding="async" src="https://www.networkingreviews.com/images/asaebook/checkbox.jpg" alt="" /></td>
<td>Using Access Control Lists (ACLs)</td>
</tr>
<tr>
<td><img decoding="async" src="https://www.networkingreviews.com/images/asaebook/checkbox.jpg" alt="" /></td>
<td>Controlling Inbound and Outbound Traffic with ACLs</td>
</tr>
<tr>
<td><img decoding="async" src="https://www.networkingreviews.com/images/asaebook/checkbox.jpg" alt="" /></td>
<td>ACL Object Groups</td>
</tr>
<tr>
<td><img decoding="async" src="https://www.networkingreviews.com/images/asaebook/checkbox.jpg" alt="" /></td>
<td>Configuring VLANs and Subinterfaces</td>
</tr>
<tr>
<td><img decoding="async" src="https://www.networkingreviews.com/images/asaebook/checkbox.jpg" alt="" /></td>
<td>IPSEc VPNs (site-to-site VPN, Remote Access VPN, VPN client)</td>
</tr>
<tr>
<td><img decoding="async" src="https://www.networkingreviews.com/images/asaebook/checkbox.jpg" alt="" /></td>
<td>Configuring Active/Standby Stateful Failover</td>
</tr>
</tbody>
</table>
<h4 style="text-align: center;"><a href="http://www.cisco-tips.com/ciscoasaebook.php" target="_self" rel="noopener"><strong><span style="color: #ff0000;">GET YOUR EBOOK HERE</span></strong></a></h4>
]]></content:encoded>
					
					<wfw:commentRss>https://www.networkingreviews.com/ftp-disconnects-through-cisco-asa-firewall-mss-exceeded-problem/feed/</wfw:commentRss>
			<slash:comments>0</slash:comments>
		
		
			</item>
	</channel>
</rss>
