This article provides information about the set flow all-tcp-mss and set flow tcp-mss commands.
The set flow tcp-mss and set flow all-tcp-mss commands are applicable to change the MSS value with traffic via the firewall.
The set flow tcp-mss and set flow all-tcp-mss commands can be used in cases, in which fragmentation can cause performance or communication problems. This will modify the maximum segment size (MSS) to a low enough value that is below the Maximum Transmission Unit (MTU), so that fragmentation will not occur.
A packet with the payload size, plus all associated overhead, must not exceed the MTU. Otherwise, fragmentation will occur. The overhead can include MAC headers, ethernet headers, CRC, encryption, and PPPoE.
The set flow all-tcp-mss command is applicable to clear-text traffic, whereas the set flow tcp-mss command is applicable to only VPN traffic. In other words, set flow tcp-mss can be used to change the MSS value for the SYN packet of the TCP handshake within the Tunnel and set flow all-tcp-mss can be used to change the MSS value for the SYN packet of the TCP handshake outside the tunnel; that is clear text traffic.
The set flow tcp-mss command is applicable for only VPN traffic. It affects only the firewall that performs the encrypting. For example, with the following topology:
Then, if the session is established from PC-A to PC-B, PC-A sends the SYN packet via the tunnel. FW1 does not change the TCP-MSS setting. When the packet is received by FW2, the TCP-MSS setting will not be changed, as the packet is already decrypted. In other words, the TCP-MSS setting will be changed, only if the command is set on the firewall on which the packet is encrypted; not on the firewall on which the packet is being decrypted.
If you want to change the MSS setting for the sessions that originate from PC-A via the tunnel, then set flow tcp-mss 1350 has to be set on FW1.
Note: from ScreenOS 6.1 or later, the 'set flow vpn-tcp-mss <number>' new CLI command was introduced to set the MSS value for all TCP SYN packets for both outbound and inbound VPN traffic.
The set flow all-tcp-mss command is required when using PPPoE, as PPPoE adds considerable overhead and fragmentation will occur, if this command is not enabled. In certain instances, a router may not be handling fragmentation properly. In these instances, the set flow all-tcp-mss may help.
For example, when accessing a web site and not all images are displayed, this symptom could be due to fragmentation. Applying the set flow all-tcp-mss command can resolve this issue.
Note: 'set flow all-tcp-mss' settings are applied to only clear traffic. It is bi-directional; so the MSS value in the SYN packet is modified for the clear traffic.
For example, in the above scenario/topology, assume that the following command is also added to FW2:
FW2-> set flow all-tcp-mss 1350
Then, when PC-A establishes a session with PC-B, FW2 will change the TCP-MSS setting for the sessions that originate from PC-A to PC-B, as it is applicable to the packet, after it is decrypted.
Note: The 'set tcp mss'command (without the 'flow' parameter)is applicable to the TCP/IP stack of the firewall and communication from/tothe firewall; that is management of the firewall.