firewall tcp-mss
Function
The firewall tcp-mss command sets the maximum length of the data segment of the TCP packet that can be sent by the peer device.
The undo firewall tcp-mss command restores the TCP MSS value to the default one.
Parameters
| Parameter | Description | Value |
|---|---|---|
mss-value |
Specifies the maximum length of the data segment of the TCP packet that can be sent by the peer device. |
The value ranges from 100 to 1460, in bytes. The default value is 1460. |
keychain enable |
Indicates that keychain is enabled. |
Keychain is enabled by default. |
Usage Guidelines
After the packets on the network are fragmented, problems may occur on certain devices during the processing at the application layer. To avoid the previous problems, you can run the firewall tcp-mss command on the device. When forwarding TCP packets carrying the keychain option (syn and syn-ack packets), the device compares the TCP MSS value specified locally with that in the packet, and adopts the smaller value for packet forwarding. Therefore, no fragments exist on the network, which ensures smooth communications on the network.
In normal cases, the MSS is set to the interface MTU deducted by 40 bytes (20-byte IP header and 20-byte TCP header). If the uplink adopts PPPoE dialup, additional 8 bytes (PPPoE header) must be deducted; that is, the interface MTU deducted by 48 bytes is the value of the MSS.
For example:
If the interface MTU changes from 1500 bytes to 1450 bytes, the new MSS must be 1410 bytes.
In this case (the interface MTU is 1500), if the uplink adopts PPPoE dialup, the MSS must be set to 1452 bytes (1500 deducted by 20 and 20 and 8).
Configure the parameters under the guidance of technical personnel.
- Keychain is enabled by default.
- After the keychain function is disabled, the device does not adjust the MSS value of packets carrying the keychain option.
- The firewall tcp-mss command takes effect only for IPv4 packets.