[c-nsp] TCP MSS CLAMPING issue

james list jameslist72 at gmail.com
Sun Jan 23 11:10:42 EST 2022

 Dear experts,
I have tcp adjust-mss configured on an internet link with an ISP like

interface GigabitEthernet0/0/0
 description internet WAN link
 ip address x.x.x.x
 ip tcp adjust-mss 1436

During DDOS attacks our firewall starts SYN challenge (acting as a proxy)
and I see sniffing traffic over the WAN link that MSS is not adjusted
accordingly from the router.

I suspect the current Cisco implementation does not change MSS because the
syn-ack does not contain the MSS option.

1) do you know if this is the correct behavior ? I do not find
anything official (ASR1k IOS 16.3.7) on www.cisco.com... in case please
share the URL
2) any suggestion if there is a way to set the MSS on ASR1k when not
received in the syn-ack from the server...

The impact is that then the client do not reduce the segment and at the end
the issue come once certificate is being exchanged in the TLS session...

Thanks in advance


More information about the cisco-nsp mailing list