Knowledge Search


×
 

How is the MSS value calculated when 'set flow all-tcp-mss' is configured

  [KB14290] Show Article Properties


Summary:

How does 'set flow all-tcp-mss x'  work in various conditions

Symptoms:

Solution:

When the following command is configured in ScreenOS, how is the MSS value calculated?

     set flow all-tcp-mss x

If x >= MSS in the SYN or  the SYN/ACK, the firewall does not change the MSS.
If x < MSS in the SYN or the SYN/ACK, the firewall changes the MSS to x, i.e. it will modify the MSS field in the TCP header of the SYN or SYN-ACK packet with the value x.

Here are four senarios based on following topology

Host A----------ScreenOS firewall----------Host B
  1. MSS(A) > x > MSS(B), the negotiated tcp-mss is MSS(B)

  2. MSS(A) < x < MSS(B), the negotiated tcp-mss is MSS(A)

  3. MSS(A) > x and MSS(B) > x, the negotiated tcp-mss is x

  4. MSS(A) < x and MSS(B) < x, the negotiated tcp-mss is min(MSS(B), MSS(A))
Note that in scenario 4, the firewall will not change the TCP-MSS value in the TCP header of the SYN or SYN-ACK packet because the MSS configured on the firewall is bigger than both host endpoints.


Note:
  The command 'set flow tcp-mss' uses the same logic.


Related Links: