-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 El 2008-02-28 a las 08:35 +0100, Camaleón escribió:
Dropping TCP packet from metrointer:192.168.16.1/10970 to Outside:200.6.55.16/25, reason: MSS exceeded, MSS 536, data 1072
De este mensaje que te saca interpreto que el asa ha recibido un paquete de un tamaño mayor que el que tiene definido y lo rechaza (dropping).
Pero tampoco me hagas mucho caso porque no sé cómo van los Cisco y podría estar pasando por alto alguna otra cosa, como por ejemplo, el significado de MSS O:-)
De todas formas, mira a ver si el cacharrín del asa te permite configurar alguna regla o política (o como se llame :-P) para aceptar estos paquetes, quizá sea un parámetro configurable y lo puedas aumentar...
Ah... bendito Google. Mira, buscando por MSS encontré una faq de Cisco, que aunque se aplica a la navegación web y a una versión de asa distinta, quizá te sirva:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note0918...
¡Caraio! This document addresses the problem when some websites are not accessible through a PIX or Adaptive Security Appliance (ASA) that runs 7.0 or later code. The 7.0 release introduces several new security enhancements, one of which is a check for TCP endpoints which adhere to the advertised Maximum Segment Size (MSS). In a normal TCP session, the client sends a SYN packet to the server, with the MSS included within the TCP options of the SYN packet. The server, upon receipt of the SYN packet, should recognize the MSS value sent by the client and then send its own MSS value in the SYN-ACK packet. Once both the client and the server are aware of each other's MSS, neither peer should send a packet to the other that is greater than that peer's MSS. A discovery has been made that there are a few HTTP servers on the Internet that do not honor the MSS that the client advertises. Subsequently, the HTTP server sends data packets to the client that are larger than the advertised MSS. Before release 7.0, these packets were allowed through the PIX Security Appliance. With the security enhancement included in the 7.0 software release, these packets are dropped by default. This document is designed to assist the PIX/ASA Security Appliance administrator in the diagnosis of this problem and the implementation of a workaround to allow the packets that exceed the MSS. ¿Que ventaja tiene ser tan estricto? ¿Porqué pondrán ese filtro? - -- Saludos Carlos E.R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) iD8DBQFHxpYGtTMYHG2NR9URAkidAKCWpb8Ie1/P944h3FafxLhlCaCHSQCeJci8 wXatMmQ7fvr1U3XGxVtGz6o= =WLXG -----END PGP SIGNATURE-----