[Dshield] TCP Maximum Segment Size exceeded

TheGesus thegesus at gmail.com
Thu Jan 5 16:49:46 GMT 2006


On 1/3/06, Christophe Rome <asrgchr at yahoo.com> wrote:
> Hi,
>
> I don't know if this topic fits inhere but I'm trying
> it anyway. If it conflicts with the interest of the
> list then just tell me and I'll shut up forever...
>
> Lately we seem to have a few mailservers experiencing
> smtp connection drops when sending to our external
> mailserver. It seems to happen with every connection
> certain mailservers make. The logfile of our
> mailserver tells us 'socket error - 10054 -
> WSAECONNRESET'. The PIX firewall which stands in
> between reports a 'Dropping TCP packet, reason: MSS
> exceeded'. So we already figured out what the problem
> is...
>
> I have two questions now about this problem:
> 1) Cisco reports this problem on this link
> (http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00804c8b9f.shtml).
> They advise not to disable this MSS exceeded
> protection because of a potential buffer overrun risk.
> Is this risk real?
> 2) I understand that the connecting side is using a
> product that has wrongly implemented TCP. I would
> think I am not to change anything to my config and
> that the connecting side is entitled to set things up
> correctly? Am I correct on this or am I seeing things wrong?
>

My, my, my... that is very interesting.  We installed a new PIX last
year and at about the same time our SSL throughput went to Hell.  It
has never fully recovered.  Back then I ran OpenVPN over a proxy SSL
connection.  I had a 35-40ms client-to-server ping before the new PIX
and a 150-200ms ping after.  I have since switched to UDP and I'm back
in the 35-40 range.

I would think the buffer overrun depends on the client's IP stack, but
this smacks of (yet another) Cisco default "feature", similar to "smtp
helper", which, as many of us know, was never any help at all.



More information about the list mailing list