PAN-OS® Networking Administrator’s Guide
    : Maximum Segment Size (MSS)
    Focus
    Download PDF
    Focus
    1. Home
    2. PAN-OS
    3. PAN-OS® Networking Administrator’s Guide
    4. Session Settings and Timeouts
    5. TCP
    6. Maximum Segment Size (MSS)
    Download PDF

    PAN-OS® Networking Administrator’s Guide

    Maximum Segment Size (MSS)

    Table of Contents

    Maximum Segment Size (MSS)

    The maximum transmission unit (MTU) is a value indicating the largest number of bytes that can be transmitted in a single TCP packet. The MTU includes the length of headers, so the MTU minus the number of bytes in the headers equals the maximum segment size (MSS), which is the maximum number of data bytes that can be transmitted in a single packet.
    A configurable MSS adjustment size (shown below) allows your firewall to pass traffic that has longer headers than the default setting allows. Encapsulation adds length to headers, so you would increase the MSS adjustment size to allow bytes, for example, to accommodate an MPLS header or tunneled traffic that has a VLAN tag.
    If the DF (don’t fragment) bit is set for a packet, it is especially helpful to have a larger MSS adjustment size and smaller MSS so that longer headers do not result in a packet length that exceeds the allowed MTU. If the DF bit were set and the MTU were exceeded, the larger packets would be dropped.
    You can configure the firewall globally to fragment IPv4 packets that exceed the egress interface MTU, even when the DF bit is set in the packet. Enable this for Layer 3 physical interfaces and IPSec tunnel interfaces using the CLI command
    debug dataplane set ip4-df-ignore yes
    . Restore the firewall to the default behavior by using the CLI command
    debug dataplane set ipv4-df-ignore no
    .
    The firewall supports a configurable MSS adjustment size for IPv4 and IPv6 addresses on the following Layer 3 interface types: Ethernet, subinterfaces, Aggregated Ethernet (AE), VLAN, and loopback. The IPv6 MSS adjustment size applies only if IPv6 is enabled on the interface.
    If IPv4 and IPv6 are enabled on an interface and the MSS Adjustment Size differs between the two IP address formats, the proper MSS value corresponding to the IP type is used for TCP traffic.
    For IPv4 and IPv6 addresses, the firewall accommodates larger-than-expected TCP header lengths. In the case where a TCP packet has a larger header length than you planned for, the firewall chooses as the MSS adjustment size the larger of the following two values:
    • The configured MSS adjustment size
    • The sum of the length of the TCP header (20) + the length of IP headers in the TCP SYN
    This behavior means that the firewall overrides the configured MSS adjustment size if necessary. For example, if you configure an MSS adjustment size of 42, you expect the MSS to equal 1458 (the default MTU size minus the adjustment size [1500 - 42]). However, the TCP packet has 4 extra bytes of IP options in the header, so the MSS adjustment size (20+20+4) equals 44, which is larger than the configured MSS adjustment size of 42. The resulting MSS is 1500-44=1456 bytes, smaller than you expected.
    To configure the MSS adjustment size, see Configure Session Settings.

    Recommended For You

    © 2023 Palo Alto Networks, Inc. All rights reserved.