Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2192
  • Last Modified:

Getting MSS Exceed error on PIX 525

Hi,

I am troubleshooting a Quicktime Streaming server which is behind our PIX 525 firewall.
A few clients are having trouble connecting to the server due to I beleive multiple issues with our configuration.

However I have been watching the logs as one client in particular trys to connect and the PIX is dropping his TCP packets with the following message:

419001: Dropping TCP packet from External-DMZ:StreamSvr/554 to Outside:69.227.44.44/33731, reason: MSS exceeded, MSS 1400, data 1402

Does anyone know why this is happening? I found an article from Cisco describing that error dealing with HTTP servers... Though the workaround does not make much sense to me.

Thank you for your help.
0
FCCCHURCH
Asked:
FCCCHURCH
  • 3
  • 3
1 Solution
 
lrmooreCommented:
What version PIX OS on the 525? Was it upgraded to ver 7.0?
Have you seen this one?
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00804c8b9f.shtml

0
 
FCCCHURCHAuthor Commented:
Yes it was upgraded to v 7.1(1)

Thats the article I saw, it doesnt make much sense to me though since I'm new at cisco firewalls im not suprised. Is there a way to accomplish this through the ASDM?

Or perhaps an alternate method? from what I've read it seems that this is a feature that was enabled by default in 7.0 but was not default in earlier versions... Can I just disable the feature?

0
 
lrmooreCommented:
Unfortunately it is not a feature that you can turn on/off it is simply the behavior of the beast and the article provides a workaround using a policy map to allow these mss packets.
7.1.1 was very short lived with 7.12 released already with 7.21 out also.
I would certainly update 7.11 to 7.12 and create the policy map as outlined in the article.
0
The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

 
FCCCHURCHAuthor Commented:
Will do,

What are the rammifications of upgrading to 7.21 instead of 7.12?
0
 
lrmooreCommented:
Check out this thread
http://www.experts-exchange.com/Security/Firewalls/Q_21878837.html#16858904

Apparently the newest ASDM is pretty cool. I'm looking forward to upgrading my 515 tomorrow just to check it out.
0
 
FCCCHURCHAuthor Commented:
interesting, thanks for the help!
0

Featured Post

NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now