This is working as designed. 

The ProxySG proactively lowers the MSS as a safeguard when it detects that the client is not on the same subnet as the ProxySG. This is done to prevent packet fragmentation or drops in the event that an intermediate router between the proxy and the client is not configured with a standard Maximum Transmission Unit (MTU) of 1500 bytes.

To work around the problem, you can enable path MTU discovery, or you can change the MTU value for offlink hosts.
 

Option 1:  Enabling path MTU discovery:

Enabling PMTUD allows the ProxySG to dynamically discover the maximum MTU size that downstream hosts and intermediate routers can handle.

ProxySG>enable
Enable Password:
ProxySG#config t
Enter configuration commands, one per line.  End with CTRL-Z.
ProxySG#(config)tcp-ip pmtu-discovery enable

Option 2:  Changing the MTU value for offlink hosts:

This option instructs the ProxySG to ignore the built-in safeguard and assume that downstream hosts will support an MTU of 1500. It effectively sets the MTU decrement to 0.

ProxySG>enable
Enable Password:
ProxySG#config t
Enter configuration commands, one per line.  End with CTRL-Z.
ProxySG#(config)tcp-ip tcp-offlink-dst-mtu-dec 0

To revert the changes and revert to default behavior execute following command.  

ProxySG#(config)tcp-ip tcp-offlink-dst-mtu-dec 100 

Above commands sets offlink MTU to default 1400. 

 
NOTE: The tcp-offlink-dst-mtu-dec command is a hidden CLI command.  If you enter the command as shown above, SGOS will accept it.  However, it does not show up as a list of commands, nor it is documented.