Created on
08-21-2022
10:35 AM
Edited on
04-24-2023
02:30 AM
By
Jean-Philippe_P
Description |
This article describes the behavior of setting TCP-MSS under the config system interface.
Network diagram:
- MTU: stands for ‘Maximum Transmission Unit’ and is the maximum size of an IP packet that can be handled by the layer-3 device.
- TCP-MSS: stands for ‘Maximum Segment Size’ and is the maximum size of the payload field inside a single IP packet.
If the communication network has a lower MTU value, but the client endpoint is not aware of it, it will send its MSS value of 1460 bytes to the server.
The server will therefore think that the client can receive 1500 bytes (1460 MSS+20 IP header+20 TCP header=1500 bytes) and will send a packet with a size of 1500 bytes. If the MTU is lower somewhere in the path, then the packet can be fragmented. If the DF (do not fragment) bit is set then the packet can be dropped, which can cause delays or slowness in the network. |
Scope | FortiGate. |
Solution |
Behavior in FortiOS 6.0.x, 6.2.x, 6.4.x and 7.0.0:
The change of TCP-MSS is done only in one direction (only for return traffic).
Example 1:
# config system interface end
The result will be:
- Client -> Server, MSS is unchanged (typically 1460). - Server -> Client, MSS=1300.
Example 2:
# config system interface
The result will be:
- Client -> Server, MSS=1200. - Server -> Client, MSS is unchanged (typically 1460).
Example 3:
# config system interface
The result will be:
- Client -> Server, MSS=1200. - Server -> Client, MSS=1300.
Behavior in FortiOS from 7.0.1 and 7.2.x.
The change of TCP-MSS value is done in both directions.
Example 1:
# config system interface end
The result will be:
- Client -> Server, MSS=1300. - Server -> Client, MSS=1300.
Example 2:
# config system interface
The result will be:
- Client -> Server, MSS=1200. - Server -> Client, MSS=1200.
Example 3:
# config system interface
The result will be:
- Client -> Server, MSS=1200. - Server -> Client, MSS=1200.
Related article: |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2023 Fortinet, Inc. All Rights Reserved.