Why does the ProxySG have a TCP segment of 1360 bytes instead of 1460 bytes? The negotiated MSS is 1460 bytes, but the ProxySG uses a TCP segment of 1360 bytes The workstation is located behing a router or is one or more hops away from the ProxySG.
This is working as designed. The ProxySG (SGOS) will lower the MSS to 1360 bytes if it detects that the client is not on the same subnet as the ProxySG. This is done in case there is a router between the proxy and the client that doesn't have an MTU set to 1500 bytes.
To work around the problem, you can enable path MTU discovery, or you can change the MTU value for offlink hosts.
Option 1: Enabling path MTU discovery:
ProxySG>enable Enable Password: ProxySG#config t Enter configuration commands, one per line. End with CTRL-Z. ProxySG#(config)tcp-ip pmtu-discovery enable
NOTE: Enables path MTU discovery, so the ProxySG will find out what downstream hosts can handle.
Option 2: Changing the MTU value for offlink hosts:
ProxySG>enable Enable Password: ProxySG#config t Enter configuration commands, one per line. End with CTRL-Z. ProxySG#(config)tcp-ip tcp-offlink-dst-mtu 1500
NOTE: Instructs the ProxySG to ignore the safeguard put in place and assume downstream hosts will have an MTU of 1500 as well. The tcp-offlink-dst-mtu command is a hidden CLI command. If you enter the command as shown above, SGOS will accept it. However, it does not show up as a list of commands, nor is it documented.
Imported Document ID: 000016308
Subscribing will provide email updates when this Article is updated. Login is required.
Thanks for your feedback. Let us know if you have additional comments below. (requires login)
Subscribed to the Article.
Unable to subscribe
Thanks for your additional feedback !!!
Enterprise Support Virtual Agent
Rate Me :
Tell us more:
Welcome! My name is Sami, the Enterprise Support Virtual Agent answering technical support questions.