Skip to main content
princes
Staff
princes
Staff
July 24, 2025

Technical Tip: Identifying MSS issues while accessing a website with IPS debug

  • July 24, 2025
  • 0 replies
  • 1207 views
Description This article describes how to identify the MSS (Maximum Segmentation Size) issue while accessing a problematic website.
Scope FortiGate.
Solution

For a non-working website initially, forward logs and web filter logs can be verified.

 

In case the traffic is not blocked by the Firewall web filter, a quick way to identify the MSS(Maximum Segmentation Size) issue is to run an IPS debug.

 

IPS debug should be run with correct filters; otherwise, it could increase the CPU utilization.

 

Filters below can be used to identify the MSS (Maximum Segmentation Size) issues:

 

diagnose ips filter set 'src  IP-ADDR'

diagnose ips debug enable tcp

diagnose debug enable

 

Here is an example for a source filter: 10.162.13.127.

 

diagnose ips filter set 'src 10.162.13.127'

diagnose ips debug enable tcp

diagnose debug enable

 

krypton-kvm19 # [2189@-1]ips_create_tcp_session: SYN packet from client
[2189@25425]ips_asm_set_seq: set asm seq: 6838918d
[2189@25425]ips_transit_tcp_state: (C:SYN_SENT S:LISTEN) -- SYN ->
[2189@25425]ips_handle_tcp_action: (C:SYN_SENT S:SYN_RCVD) act=FIRST_CLIENT_PKT
[2189@25425]ips_tcp_layer_init: ips_tcp_layer_init, tcpl 0x7f83c89f3900
[2189@25425]ips_tcp_on_pkt_syn: init seq to: 6838918d, wss: 8, mss: 1460
[2189@25425]ips_asm_set_seq: set asm seq: 6838918d
[2189@25425]ips_tcp_send_packets: client pkt list 0
[2189@25425]ips_tcp_send_packets: sent pkts queue is empty
[2189@25425]ips_transit_tcp_state: (C:ESTABLISHED S:SYN_RCVD) -- ACK ->
[2189@25425]ips_handle_tcp_action: (C:ESTABLISHED S:ESTABLISHED) act=COMPLETE_TWH
[2189@25425]ips_asm_set_seq: set asm seq: 626678d3
[2189@25425]ips_tcp_on_pkt_syn: TCP window scaling: this stream 8, that stream 13
[2189@25425]ips_tcp_on_pkt_syn: client allows SACK
[2189@25425]ips_tcp_on_pkt_syn: server allows SACK
[2189@25425]ips_tcp_on_pkt_syn: negotiated MSS: 1400, this mss 1460, that mss 1400

 

Stop the debug process with the following commands:

 

diagnose ips debug disable all

diagnose debug disable

diagnose debug reset

 

In the above debug, the remote end supports a maximum value of 1400. In case this value is too low, consider reducing the MSS value on the firewall policy level.

 

Note: If a repetitive number of Client-RST is seen in forward logs, this can indicate an MSS(Maximum Segmentation Size) issue with the website.

 

Always use a Wireshark packet capture to cross-verify the same in syn and syn+ack packets.

 

To change the TCP MSS value in a firewall policy, the following commands can be used:

 

config firewall policy
    edit <policy id>
         set tcp-mss-sender <mss value>
         set tcp-mss-receiver <mss value>
    next
end
 
TCP MSS between client and server is not negotiated, and may use different values. This happens because the traffic between client and server may be asymmetric, allowing a larger MSS along a given path. For MSS to be successfully calculated, it relies on PMTUD (Path MTU Discovery), which is dependent on ICMP messages. If ICMP messages are blocked along the path, the PMTUD mechanism will not work properly, and it may be necessary to manually define MSS values as shown above.

 

Related article:

Technical Tip: Setting TCP MSS value
      Terms & ConditionsAccessibility statement