Hi,
On Sun, Jan 23, 2022 at 06:58:29PM +0100, james list wrote:
> > It's "the Internet". Pointing at clients as being "non compliant" is
> > not going to fix your server's operation - otherwise, all this fiddling
> > with TCP/MSS would not even be necessary in the first place.
>
> > (Another opt
Hi,
On Sun, Jan 23, 2022 at 06:31:40PM +0100, james list wrote:
> thanks for the feedback.
>
> Firewall vendor reports this:
>
> " When
> SYN Cookies
> is activated, the firewall does not honor the TCP options that the server
> sends because it does not know these values at the time that it pro
hi
> It's "the Internet". Pointing at clients as being "non compliant" is
> not going to fix your server's operation - otherwise, all this fiddling
> with TCP/MSS would not even be necessary in the first place.
> (Another option would be, of course, to fix your network :-) - so 1500
> byte packe
Hi Gert
thanks for the feedback.
Firewall vendor reports this:
" When
SYN Cookies
is activated, the firewall does not honor the TCP options that the server
sends because it does not know these values at the time that it proxies the
SYN/ACK. Therefore, values such as the TCP server’s window size
Hi,
On Sun, Jan 23, 2022 at 05:10:42PM +0100, james list wrote:
> I suspect the current Cisco implementation does not change MSS because the
> syn-ack does not contain the MSS option.
If there is no MSS option, nothing can be adjusted - one would need extra
code to *add* such an option, which is
Dear experts,
I have tcp adjust-mss configured on an internet link with an ISP like
following:
interface GigabitEthernet0/0/0
description internet WAN link
ip address x.x.x.x 255.255.255.252
ip tcp adjust-mss 1436
During DDOS attacks our firewall starts SYN challenge (acting as a proxy)
and