The system supports the Transmission Control Protocol (TCP) Maximum Segment Size (MSS) adjustment feature for the following types of tunnels on the ISA:
IPsec
IPinIP/GRE
L2TPv3 (data packet only)
The intent of TCP MSS adjustment is to avoid IP-level fragmentation for TCP traffic encapsulated in a tunnel by updating the MSS option value in the TCP SYN packet with an appropriate value. This feature is useful when there is tunnel encapsulation that is not known by a TCP host, and the extra tunnel encapsulation overhead may cause IP-level fragmentation.
The system supports TCP MSS adjustment on both the public and private sides.
On the public side, when the ISA receives a tunnel packet (such as ESP), after decryption or decapsulation, if the payload packet is a TCP SYN packet, then the ISA replaces the MSS option with a configured value if the configured MSS value is smaller than the received MSS value or when there is no MSS option:
If public-tcp-mss-adjust auto is configured, then:
new MSS value =public_side_MTU – tunnel_overhead – TCP fixed header – IP fixed header
where:
public_side_MTU = encapsulated-ip-mtu
If encapsulated-ip-mtu is not configured, which means there is no post-encap fragmentation on ISA, then TCP MSS adjust is disabled.
TCP fixed header = 20
IP fixed header = 20 (Ipv4) or 40 (IPv6)
If a specific MSS value such as public-tcp-mss-adjust new_mss_value is configured, then the new MSS value sets to the new_mss_value.
The public-tcp-mss-adjust auto command only applies to IPsec and IPinIP/GRE tunnels.
For an IPsec tunnel, the tunnel_overhead is the maximum overhead of the corresponding CHILD_SA.
For an IPinIP tunnel, the tunnel_overhead is 0.
For a GRE tunnel, the tunnel_overhead is length of GRE header.
The private side is similar to the public side. The system processes the received TCP SYN packet on the private side if the TCP MSS adjust is enabled. However, there is no auto parameter for private-tcp-mss-adjust command.