Jim_Moore
Jan 05, 2012Nimbostratus
Proxy MSS
We have a need due to branch router encryption to enable Proxy MSS on our LTM's. When this is enabled my understanding is that client MSS will be passed through so the server sends using client MSS si...
I know this is an old post, but this might be really important to someone seeing ssl flows breaking on the first large inbound packet and does not see it show up outbound.
Say you have a TCP peer on one side of the LTM proxy negotiating mss to 1200 bytes and the on the other side, the a TCP peer is negotiating to 1500 bytes. I believe that without proxy-mss, the mss negotiated on one side (important when it is lower mss), is not considered when negotiating the mms value on the other side of the proxy. This is problem if the sender is on the large mms side of the proxy and the DF bit is set (like we see with HTTPS) and is sending to the smaller mss side of the proxy.
What you should see is an ICMP warning message being sent in the direction of the sender (larger mss side). The router/firewall may block the feedback and you end up with dropped packets due to packets exceeding the mss on the smaller mss side.