I am trying to set jumbo MTU for Cisco ASA 5585 and I did following:
asa1/pri/act(config)# mtu inside 9000
INFO: Jumbo frames should be enabled to receive packets more than 1500 MTU
Use 'jumbo-frame reservation' command to turn on jumbo frame
INFO: TCP MSS may need to be adjusted using 'sysopt connections tcpmss'
command to pass large TCP segments
Now it is saying you may need to set sysopt connections tcpmss
. I have noticed in my old Cisco ASA firewall it has the following setting because when we setup VPN IPsec with AWS they said do following recommended setting:
sysopt connection tcpmss 1379
Question is if I set sysopt connection tcpmss 9000
is it going to break anything in relation to the IPsec tunnel?
Best Answer
TCP MSS is just used to notify a sender of the max TCP segment size the receiver can accept. It does not include the TCP or IP headers. So if you set it to the same size as your MTU, by the time you add the relevant headers you can end up with a frame size larger than your MTU. At a minimum, you are creating a scenario where fragmentation has to occur in order to transmit the frame across the link or in the case of a TCP packet with a "Do Not Fragment" bit set, the frame won't be transmitted at all.