About the TCP MSS

The TCP maximum segment size (MSS) is the size of the TCP payload before any TCP and IP headers are added. UDP packets are not affected. The client and the server exchange TCP MSS values during the three-way handshake when establishing the connection.

You can set the TCP MSS on the threat defense device for through traffic using the Sysopt_Basic object in FlexConfig; see g_flexconfig-policies.html#ID-2107-00000004; by default, the maximum TCP MSS is set to 1380 bytes. This setting is useful when the threat defense device needs to add to the size of the packet for IPsec VPN encapsulation. However, for non-IPsec endpoints, you should disable the maximum TCP MSS on the threat defense device.

If you set a maximum TCP MSS, if either endpoint of a connection requests a TCP MSS that is larger than the value set on the threat defense device, then the threat defense device overwrites the TCP MSS in the request packet with the threat defense device maximum. If the host or server does not request a TCP MSS, then the threat defense device assumes the RFC 793-default value of 536 bytes (IPv4) or 1220 bytes (IPv6), but does not modify the packet. For example, you leave the default MTU as 1500 bytes. A host requests an MSS of 1500 minus the TCP and IP header length, which sets the MSS to 1460. If the threat defense device maximum TCP MSS is 1380 (the default), then the threat defense device changes the MSS value in the TCP request packet to 1380. The server then sends packets with 1380-byte payloads. The threat defense device can then add up to 120 bytes of headers to the packet and still fit in the MTU size of 1500.

You can also configure the minimum TCP MSS; if a host or server requests a very small TCP MSS, the threat defense device can adjust the value up. By default, the minimum TCP MSS is not enabled.

For to-the-box traffic, including for SSL VPN connections, this setting does not apply. The threat defense device uses the MTU to derive the TCP MSS: MTU - 40 (IPv4) or MTU - 60 (IPv6).