How to Change the Maximum Segment Size on a NetScaler Appliance

This article describes how to change the Maximum Segment Size (MSS) for all sourced packets from a NetScaler appliance.

Requirements

• Command line access to the NetScaler appliance through the console or a Secure Shell (SSH) client
• General knowledge of the NetScaler Command Line Interface (CLI) and UNIX shell navigation

Background

TCP MSS is defined in?? Request for Comments (RFC) 879. The MSS of a TCP transaction represents the maximum segment size that a receiving station is configured to accept. With some exceptions, the NetScaler appliance defaults to the MSS of 1,460 bytes and writes this value to all TCP packets originating from it. This 1,460 MSS value is written to the options section in a TCP packet.

The following screen shot shows a network trace capture where the MSS of a NetScaler appliance is highlighted. The MSS value is highlighted in the detail window:

In some cases it may be necessary to change the default NetScaler MSS of 1,460 bytes to a different value in order to force an intermediary network device such as a PIX firewall to allow traffic between the NetScaler and another device.

By default, a PIX firewall running version 7.x software enforces the MSS value of the receiving device (such as a server running Web Interface) upon the traffic of the sending device (such as the NetScaler).

In this scenario, users access resources on a Web Interface server through a NetScaler. In the TCP handshake between the NetScaler and Web Interface server, the initial SYN packet from the NetScaler is sent with the MSS advertised at 1,460 bytes.

The next transaction in the TCP handshake is for the receiving device to respond with a SYN ACK packet where it declares its own MSS.

When a PIX firewall running version 7.x software exists between the NetScaler and the receiving device, both of the advertised MSS values in the TCP transaction are cached on the PIX. By default, the PIX firewall drops any packets with a MSS value higher than one advertised by the receiving device. The following screen shot illustrates what happens after the TCP handshake is completed if the end-user requests a Web resource from the Web Interface server through the NetScaler.

The enforcement of the receiving device's MSS value is a method of congestion avoidance and can be disabled in the PIX firewall. However, if you cannot disable MSS enforcement on the firewall, the NetScaler does allow you to change of the system-wide MSS value. This article describes how to do this through the NSAPIMGR component of the NetScaler CLI and preserve the change when the appliance restarts.

Note: By default, changes made in the NSAPIMGR are lost after a restart.

Complete the following procedure:

1. Using a direct console or SSH client connection to the NetScaler, log on and navigate to the shell prompt.

2. Run the following command to verify the current system-wide MSS value on the NetScaler:

   nsapimgr –d allsis

   The output should resemble the following text:

    ------------------begin snippet--------------- login as: nsroot Using keyboard-interactive authentication. Password: Last login: Thu May 22 15:35:58 2008 from 10.54.76.33  Done GA-NS4> shell Last login: Thu May 22 19:05:53 from 10.54.76.33 root@ns# nsapimgr -d allsis Displaying all server info entries ... Idx  Address    Flags if st srvr clts  MSS pool idltime server-IP-port 0 E57FF4B4 24000010 83  1    0    0 1460    0 11475280       127.0.0.2 53 1 E57FED80 04040000 83  7    0    1 1460    0 11475280       127.0.0.18777 2 E57FE64C 04040000  a  7    1    0 1460    1   12691       127.0.0.1 8766 3 E57FDF18 04040000 83  7    0    0 1460    0 11475280       127.0.0.1 7776 4 E57FD7E4 44062000  a  7    4    2 1460    0       0     10.54.80.31 0 5 E57FD0B0 44062000 83  7    0    0 1460    0 11475280     10.54.80.31 0 6 E57FC97C 44062000 83  7    0    0 1460    0 11475280     10.54.80.31 21 7 E57FC248 04068000  a  7   17    0 1460    0     303       127.0.0.1 80 8 E57FBB14 04042000 83  7    0    0 1460    0 11475280       127.0.0.1 3013 9 E57FB3E0 74060000 83  7    0    0 1460    0 11475280     10.54.80.31 3008 10 E57FACAC 74060000 83  7    0    0 1460    0 11475278     10.54.80.31 443  11 E57FA578 44062000  a  7    0    0 1460    0 11471137     10.54.80.31 22 12 E57F9E44 04040000 83  7    0    1 1460    0 11475265     10.54.80.31 3011 13 E57F9710 24040000 83  7    0    0 1460    0 11475265     10.54.80.31 3009 14 E57F8FDC 44062000 83  7    0    0 1460    0 11475251       241.0.0.1 22  15 E57F88A8 44062000 83  7    0    0 1460    0 11475251       241.0.0.1 23  16 E57F8174 44062000 83  7    0    0 1460    0 11475251       241.0.0.2 22  17 E57F7A40 44062000 83  7    0    0 1460    0 11475251       241.0.0.2 23  18 E57F1C9C 84040008 83  7    0    0    0    0 1254541       127.0.0.1 514  19 E57F64A4 F6040008 83  7    0    0 1460    0 1254521     10.54.80.33 3008  20 E57F5D70 F6040008 83  7    0    0 1460    0 1254507     10.54.80.33 443  21 E57EDBC8 A400A008 83  1    0    0    0    0 1254490     10.54.76.38 80  22 E57F1568 A400A008 83  1    0    0    0    0 1254490   10.217.97.251 443  23 E57F3238 A4000018 83  1    0    0 1460    0 1254487     10.54.76.36 53  24 E57F40A0 A6000018 83  1    0    0 1460    0 1254487    10.54.80.155 443  25 E57F2B04 A6000208 83  7    0    0 1460    0 1254487     172.16.1.30 443  26 E57F47D4 A6000208 83  7    0    0 1460    0 1254478     172.16.1.30 14348  27 E57F396C A6000208 83  7    0    0 1460    0 1254478    10.54.80.160 443  28 E57ED494 A6000208 83  7    0    0 1460    0 1254456    10.54.80.160 14348  29 E57F563C A2000018 83  7    7    0 1460    0 1254456         0.0.0.0 0  30 E57EE2FC A400C008 83  1    0    0    0    0 1254444     10.54.76.32 53  31 E57F0E34 2440E000  2  7    7    0 1212    0     274    10.217.97.45 443  32 E57EEA30 A6008008 83  1    0    0    0    0 1254401         0.0.0.0 80  33 E57F730C 82008008 83  1    0    0    0    0 1254401         0.0.0.0 80  34 E57ECD60 86048008 83  1    0    0    0    0 1254401     10.54.76.38 443   35 E57EF898 86048008 83  1    0    0    0    0 1254401     10.54.76.39 80   36 E57EC62C 86048008 83  1    0    0    0    0 1254400     10.54.76.34 443   37 E57F4F08 86048008  2  7    0    0 1212    0      15    10.12.36.196 80   38 E57F0700 A6008008 83  1    0    0    0    0 1254396         0.0.0.0 80   39 E57EFFCC 82008008 83  1    0    0    0    0 1254396     10.54.76.38 80   40 E57F23D0 82048008  2  7   18    0 1212    0     301    10.12.36.196 8080   41 E57EF164 82048008 83  1    1    0    0    0 1254396     10.54.76.38 8080   42 E57EBEF8 86000008  1  7    1    0 1340    0    8877     10.54.80.32 3011   43 E57F6BD8 86000008 83  1    0    0    0    0 1188153       127.0.0.1 3021   root@ns# --------------------------end snippet---------------------------------------------

3. With a few exceptions, the advertised MSS value is 1460. In this example the MSS value is changed from 1460 to 1380. To change the value to match that of the receiving device, run the following command on the NetScaler CLI:
   nsapimgr -ys ns_max_mss=1380

   Note: If you are connected to the NetScaler through the network, you will lose connectivity at this point because all existing connections to and from the NetScaler are reset. This includes all user and application connections. You can reconnect to the NetScaler at this point.

4. Run the?? nsapimgr –d allsis?? command again and verify that all the previous 1460 values in the MSS column have been changed to 1380.

5. Verify that a?? rc.netscaler?? file exists in which to write the entry for the NSAPIMGR command. At the NetScaler shell prompt, navigate to?? /nsconfig/?? and list the contents to verify that the?? rc.netscaler?? file exists. The following is the sample output:

    -------------------------begin snippet---------------------------------- root@ns# cd nsconfig root@ns# ls ZebOS.conf              license                 ns.conf.NS6.1 ZebOS.conf.0            localtime               ns.conf.NS7.0 ZebOS.conf.1            monitors                ns.lic ZebOS.conf.2            ns.6backup.lic          ns4.conf ZebOS.conf.3            ns.conf                 nstrace.conf ZebOS.conf.4            ns.conf.0               ntp.conf ZebOS.conf.NS6.0        ns.conf.1             snmpd.conf ZebOS.conf.NS7.0        ns.conf.2             ssh ZebOS.conf.bak          ns.conf.3               ssl ZebOS.conf.mig          ns.conf.4                htmlinjection           ns.conf.NS6.0 root@ns# ------------------------end snippet---------------------------------------

6. If the rc.netscaler file does not exist, create one in /nsconfig/ and insert the NSAPIMGR command so this file is read every time the appliance is started.

    --------begin snippet---------------------------------------------- root@ns# vi rc.netscaler nsapimgr -ys ns_max_mss=1380 ~ ~ ~ ~ ~ ~ rc.netscaler: unmodified: line 1 --------end snippet-----------------------------

   Refer to the UNIX vi?? editor commands to operate this change and save.

This article also applies to NetScaler appliances running Access Gateway Enterprise Edition.

Related Cisco PIX documentation on this topic:?? PIX/ASA 7.x Issue: MSS Exceeded – HTTP Clients Cannot Browse to Some Web Sites

CTX117547 –?? FAQ: Implementing Maximum Segment Size on a NetScaler Appliance