Fixing broken Microsoft RDP connections through a Cisco ASA terminating a site-to-site VPN

By default the Cisco ASA has a TCP MSS size of 1380.  On larger packets coming over a VPN tunnel, it won’t be able to process these.  Microsoft RDP is the most common example although it can also be observed with protocols like FTP.

The quick fix is make this change on the ASA:

sysopt connection tcp-mss 1300

This will cause the packets to be fragmented, and pass successfully over the VPN and through the ASA.





Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s