Technical Note: How to avoid MSS mismatch

FortiGate

FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.

Description

In order to solve MSS (Maximum Segment Size) mismatch, the size of the MSS can be changed on the policies of the FortiGate.

Solution

Based on the previous diagram:

1. If the issue occurs when a user on internal tries to visit a site on “web server”

2. On policy from “internal” to “internet”

configure firewall policy
edit x
set tcp-mss-sender 1300
end

3. Clear all sessions with these IP addresses.

1548

Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Terms of Service
Privacy Policy
GDPR

Fortinet Community

Technical Note: How to avoid MSS mismatch