TCP MSS clamping enables you to reduce the maximum segment size (MSS) value used by a TCP session during a connection establishment through a VPN tunnel.
TCP MSS is the maximum amount of data in bytes that a host is willing to accept in a single TCP segment. Each end of a TCP connection sends its desired MSS value to its peer-end during the three-way handshake, where MSS is one of the TCP header options used in a TCP SYN packet. The sender host calculates the TCP MSS based on the maximum transmission unit (MTU) of its egress interface.
When a TCP traffic goes through any kind of VPN tunnel, additional headers are added to the original packet to keep it secure. For IPSec tunnel mode, additional headers used are IP, ESP, and optionally UDP (if a port translation is present in the network). Because of these additional headers, the size of the encapsulated packet goes beyond the MTU of the VPN interface. The packet can get fragmented or dropped based on the DF policy.
To avoid packet fragmentation or drop in an IPSec VPN session, you can adjust the MSS value for the IPSec session by enabling the TCP MSS clamping feature. Navigate to Advanced Properties section, and enable TCP MSS Clamping. By default, the TCP MSS Clamping feature is disabled for an IPSec session.. When you are adding an IPSec session or editing an existing one, expand the
When the TCP MSS Clamping feature is enabled for an IPSec session, you can configure the pre-calculated MSS value suitable for the IPSec session by setting both TCP MSS Direction and TCP MSS Value. The configured MSS value is used for MSS clamping. You can opt to use the dynamic MSS calculation by setting the TCP MSS Direction and leaving TCP MSS Value blank. The MSS value is auto-calculated based on the VPN interface MTU, VPN overhead, and the path MTU (PMTU) when it is already determined. The effective MSS is recalculated during each TCP handshake to handle the MTU or PMTU changes dynamically. See Add a Policy-Based IPSec Session or Add a Route-Based IPSec Session for more information.
Similarly, for L2 VPN, TCP MSS Clamping configuration is given only in the L2 VPN server session. You can navigate to Advanced Properties section. TCP MSS Clamping is enabled by default for both the directions with auto-calculation mode, but you can configure a desired TCP MSS value that is suitable for the topology or disable it. See Add an L2 VPN Server Session for more information.. Select and expand the