Tuesday, November 30, 2021

MSS Problem

So today I got in a situation like This.
3 weeks ago I was reviewing some pcap in our network and noticed that the MSS is always 1380 at max. I found out about the ASA default and had one of those "I need to change that" moments. so I uncapped that everywhere except for the ones with IPSec tunnels.
After a week, my colleague from L1 team contacted me about that printer on one of our branches that just doesn't scan into email. I did a capture of the SMTP traffic which always ended with the mail header and then stall for a minute followed by RST by the printer (which was the configurable default in the printer menu). I tried to send a mail from the router with telnet and it worked well so I blamed his crappy printer and went onto another things. I had him try another one until I started investigating more on this. It appeared that I couldn't ping that one branch router with 1500MTU. It just timed out.
He gave me an exact date when the users first reported the issue and I looked into my chrome history. There were multiple sites about ASA and MSS..
So at this time I was pretty sure this is not a coincidence.
So there is surely something in our ISP's MPLS that has 1496 MTU configured.
As I uncapped the MSS adjustment on our DC ASA to unlimited, every TCP connection was now 1460 bytes MSS. Clients on that branch probably were not affected because of PMTUD?
I did a workaround by setting the MSS on the branch router's vlans for printers to lower size.
My only concern is why doesn't the packets just fragment? When I ping our router or anything else on that branch with 1497 to 1500 MTU, it doesn't even say "Packet needs to be fragmented but DF set.".
It just times out. But when i ping with more than 1500MTU, I get the message about fragmentation needed...
I had the ISP guys investigate on this but I'm pretty curious of what could that be.



No comments:

Post a Comment