MSS Exceeded Workaround

After installing a new ASA 5520, I noticed that a few websites were loading very slowly or not at all. The problem seemed to be very intermittent, but reproducible by revisiting the websites at any time of the day. Browsing to the site from outside of the firewall showed the site to be responsive.

I started to watch the live log while browsing to the site and noticed packets being dropped. The log read:

Dropping TCP packet from outside: to inside: , reason: MSS exceeded, MSS 1260, data 1460

Apparently, this is a new security feature for the 7.0+ code for the ASA. Normally, the client and server send their MSS (Maximum Segment Size) while establishing the TCP connection. Once this occurs, neither the client or server should send a packet larger than their peer’s MSS. However, some HTTP servers do not recognize the MSS and send packets that are too large, and are thus dropped by the ASA.

The workaround for this is to allow the firewall to pass the packets whose data exceeds the MSS. Let’s say the server causing the problems ip is 192.168.10.9. First, create and access-list for any host accessing that server.

access-list MSS_Exceeded_ACL permit tcp any host 192.168.10.9

And then create a class map.

class-map MSS_Exceeded_MAP
match access-list MSS_Exceeded_ACL
exit
tcp-map mss-map
exceeded mss allow

Create the policy map.

policy-map MSS_Exceeded_MAP
class MSS_Exceeded_MAP
set connection advanced-options mss-map

Apply the map to the outside interface.

service-policy MSS_Exceeded_MAP interface outside

If there is more than one site, just add the additional sites to the MSS_Exceeded_ACL access list or change it to allow all sites.

access-list MSS_Exceeded_ACL permit tcp any any

For more information about MSS and logging these events, check out the document from Cisco.

CISCO ASA SSL CERT

GENERATE CSR

1. From the Cisco Adaptive Security Device Manager (ASDM), select “Configuration” and then “Device Management.”
2. Expand “Certificate Management,” then select “Identity Certificates,” and then “Add.”
3. Select the button to “Add a new identity certificate” and click the “New…” link for the Key Pair.



4. Select the option to “Enter new key pair name” and enter a name (any name) for the key pair. Next, click the “Generate Now” button to create your key pair.

The key size should be changed to 2048 and Usage should be left on General purpose



5. Next you will define the "“Certificate Subject DN” by clicking the Select button to the right of that field. In the Certificate Subject DN window, configure the following values by selecting each from the “Attribute” drop-down list, entering the appropriate value, and clicking “Add.”
• CN – The name through which the firewall will be accessed (usually the full-qualified domain name, e.g., vpn.domain.com).
• OU – The nameof your department within the organisation (frequently this entry will be listed as “IT”, “Web” Security or is simply left blank).
• O – The legally registered name of your organisation/company.
• C – Your country's two-digit code.
• ST – The state in which your organisation is located.
• L – The city in which your organisation is located.



6. Next, click “Advanced” in the “Add Identity Certificate” window.



7. In the FQDN field, type in the fully-qualified domain name through which the device will be accessed externally, e.g., vpn.domain.com (or the same name as was entered in the CN value in step 5).
8. Click "OK" and then "Add Certificate." You will then be prompted to save your newly created CSR information as a text file (.txt extension).

Remember the filename that you choose and the location to which you save it. You will need to open this file as a text file and copy the entire body of it (including the Begin and End Certificate Request tags) into the online order process when prompted.

Choose your SSL CA

Installing your SSL Certificate in the Adaptive Security Device Manager (ASDM)

1. You will receive your SSL certificate and intermediate certificate by email. Copy each certificate from the email, paste each one into a separate text editor and save the files to a safe location with an extension of .crt, such as gs_sslcertificate.crt and gs_intermediate.crt.
2. In ASDM select “Configuration” and then “Device Management.”
3. Expand “Certificate Management” and select “CA Certificates” and then “Add.”
4. With the option selected to “Install from a file”, browse to the gs_intermediate.crt file and then click the “Install Certificate” button at the bottom of the "Install Certificate" window.

Your Intermediate certificate file is now installed. You will now need to install the gs_sslcertificate.crt file.

5. In ASDM select “Configuration” and then “Device Management”.
6. Expand “Certificate Management” and select “Identity Certificates”.
7. Select the appropriate identity certificate from when your CSR was generated (the “Issued By” field should show as not available and the “Expiry Date” field will show Pending…). Click the Install button.
8. Browse to the appropriate identity certificate (the gs_sslcertificate.crt provided by GlobalSign) and click “Install Certificate.”

At this point you should receive confirmation that the certificate installation was successful.

Configuring WebVPN with ASDM to Use the New SSL Certificate

1. In ASDM select “Configuration” and then “Device Management”.
2. Click “Advanced” and then “SSL Settings”
3. From "Certificates," choose the interface used to terminate WebVPN sessions, and then choose “Edit”.
4. From the “Certificate” drop-down, select the newly installed certificate, then “OK”, and then “Apply”

Configuring your certificate for use with the selected kind of WebVPN session is now complete.

SSL Certificate Installation from the Cisco ASA command line (alternate installation method)

1. From the ciscoasa(config)# line, enter the following text:

crypto ca authenticate my.globalsign.trustpoint

Where my.globalsign.trustpoint is the name of trustpoint created when your certificate request was generated.

2. Next, enter the entire body of the gs_intermediate.crt file followed by the word “quit” on a line by itself (the gs_intermediate.crt file can be opened and edited with a standard text editor, and the entire body of that file should be entered when prompted).
3. When asked to accept the certificate, enter “yes”.
4. When the certificate has been successfully imported, enter “exit”.

Your Intermediate certificate file is now installed. You will now need to install the gs_sslcertificate.crt file.

5. From the ciscoasa(config)# line, enter the following text:

crypto ca import my.globalsign.trustpoint certificate

Where my.globalsign.trustpoint is the name of trustpoint created when your certificate request was generated.

6. Next, enter the entire body of the gs_sslcertificate.crt file followed by the word “quit” on a line by itself (the gs_sslcertificate.crt file can be opened and edited with a standard text editor, and the entire body of that file should be entered when prompted).

You should then receive a message that the certificate was successfully imported.

Configuring WebVPN to Use the New SSL Certificate from the Cisco ASA command line

1. From the ciscoasa(config)# line, enter the following text:

ssl trust-point my.globalsign.trustpoint outside

wr mem

Where my.globalsign.trustpoint is the name of trustpoint created when your certificate request was generated and "outside" is the name of the interface being configured.

Make sure to save the configuration.

Cisco IOS to CatOS Etherchannel Configuration

Here are the relevant parts of the configuration to setup an etherchannel between an IOS device and a CatOS device. First lets start with the CatOS device, in this case a 6509. We will be using ports 3/9 and 3/10.

We first need to set the ports we want to use to be a trunk. Here we are forcing dot1q.

6509#set trunk 3/1-2 nonegotiate dot1q

Now we need to setup the port channels. These channels will be used as 1 and aggregate bandwidth between them.

6509#set port channel 3/9-10

Note: There is an option at the end of this command to specify the admin group. This is how the CatOS groups the ports. If you do not specify the admin group, the CatOS will automatically assign one. This is something to watch out for if you set each port separately.

Now, turn the port channel on.

6509#set port channel 3/9-10 mode on

That is it for the CatOS. The config for the IOS is quite a bit different. First, create a port channel interface and make it a trunk.

3750(config)#interface port-channel 1
3750(config-if)#switchport trunk encapsulation dot1q
3750(config-if)#switchport mode trunk

Assign ports to the port channel group.

3750(config)#interface GigabitEthernet1/0/1
3750(config-if)#channel-group 1 mode on
3750(config-if)#interface GigabitEthernet1/0/2
3750(config-if)#channel-group 1 mode on

Just connect the ports and everything should come up. To check on the CatOS.

6509#show port channel
Port Status Channel Admin Ch Mode Group Id
—– ———- ——————– —– —–
3/9 connected on 746 1734
3/10 connected on 746 1734

Port Device-ID Port-ID Platform
—– ——————————- ————————- —————-
3/9 3750 GigabitEthernet1/0/1 cisco WS-C3750-48P
3/10 3750 GigabitEthernet1/0/2 cisco WS-C3750-48P

Here, both ports 3/9 and 3/10 show as connected and on the same admin channel.

And for the IOS.

3750#show etherchannel summary
Flags: D – down P – in port-channel
I – stand-alone s – suspended
H – Hot-standby (LACP only)
R – Layer3 S – Layer2
U – in use f – failed to allocate aggregator
u – unsuitable for bundling
w – waiting to be aggregated
d – default port

Number of channel-groups in use: 1
Number of aggregators: 1

Group Port-channel Protocol Ports
——+————-+———–+———————————————–
1 Po1(SU) – Gi1/0/1(P) Gi2/0/1(P)

The last line is the important one. Notice that is shows both ports are in port channel 1.

To configure and IOS to IOS etherchannel, just repeat the exact steps for the IOS on the second switch.
That’s all there is to it.