Why does the ProxySG have a TCP segment of 1360 bytes instead of 1460 bytes?

book

Article ID: 167550

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

Why does the ProxySG have a TCP segment of 1360 bytes instead of 1460 bytes?
The negotiated MSS is 1460 bytes, but the ProxySG uses a TCP segment of 1360 bytes
The workstation is located behing a router or is one or more hops away from the ProxySG.
 

Resolution

This is working as designed.  The ProxySG (SGOS) will lower the MSS to 1360 bytes if it detects that the client is not on the same subnet as the ProxySG.  This is done in case there is a router between the proxy and the client that doesn't have an MTU set to 1500 bytes.

To work around the problem, you can enable path MTU discovery, or you can change the MTU value for offlink hosts.
 

Option 1:  Enabling path MTU discovery:

ProxySG>enable
Enable Password:
ProxySG#config t
Enter configuration commands, one per line.  End with CTRL-Z.
ProxySG#(config)tcp-ip pmtu-discovery enable


NOTE:  Enables path MTU discovery, so the ProxySG will find out what downstream hosts can handle.


Option 2:  Changing the MTU value for offlink hosts:

ProxySG>enable
Enable Password:
ProxySG#config t
Enter configuration commands, one per line.  End with CTRL-Z.
ProxySG#(config)tcp-ip tcp-offlink-dst-mtu 1500

NOTE:  Instructs the ProxySG to ignore the safeguard put in place and assume downstream hosts will have an MTU of 1500 as well.  The tcp-offlink-dst-mtu command is a hidden CLI command.  If you enter the command as shown above, SGOS will accept it.  However, it does not show up as a list of commands, nor is it documented.