[c-nsp] TCP MSS CLAMPING issue

[james list]

 Dear experts,
I have tcp adjust-mss configured on an internet link with an ISP like
following:

interface GigabitEthernet0/0/0
 description internet WAN link
 ip address x.x.x.x 255.255.255.252
 ip tcp adjust-mss 1436


During DDOS attacks our firewall starts SYN challenge (acting as a proxy)
and I see sniffing traffic over the WAN link that MSS is not adjusted
accordingly from the router.

I suspect the current Cisco implementation does not change MSS because the
syn-ack does not contain the MSS option.

Questions:
1) do you know if this is the correct behavior ? I do not find
anything official (ASR1k IOS 16.3.7) on www.cisco.com... in case please
share the URL
2) any suggestion if there is a way to set the MSS on ASR1k when not
received in the syn-ack from the server...

The impact is that then the client do not reduce the segment and at the end
the issue come once certificate is being exchanged in the TLS session...

Thanks in advance

Cheers
James