By default the Cisco ASA has a TCP MSS size of 1380. On larger packets coming over a VPN tunnel, it won’t be able to process these. Microsoft RDP is the most common example although it can also be observed with protocols like FTP.
The quick fix is make this change on the ASA:
sysopt connection tcp-mss 1300
This will cause the packets to be fragmented, and pass successfully over the VPN and through the ASA.
Sources:
- Unable to pass large packets through the site-to-site VPN tunnel, IPSec, with the routers and the PIX 500 Series Firewall
- MTU vs tcp adjust-mss