Symptom
TCP Three way handshake between hosts are failing or are delayed due to retransmissions.
Packet captures show no missing packets, rather one or the other host involved is not replying to the Syn or Syn/ACK packet and retransmission of the Syn packet is seen.
Conditions
Required: "ip tcp adjust-mss" configured on a interface in the packets clear text path on router affected by this bug.
E.g. on a Tunnel interface which passes the TCP traffic. The TCP packets at this point should have multiple additional headers - e.g. TCP over GRE over IPSEC over VLAN.
Configuration example:
- GRE over IPsec (GRE encapsulated within IPSec) using IPSec crypto map.
- Tunnel mode is used.
- GRE key is used.
- VLAN configured on same interface as IPSec crypto map
AND
- "ip tcp adjust-mss 1360" is configured on the tunnel interface.
The problem might be seen with other configurations with multiple layers of encapsulation of TCP packets.
Workaround
- Remove "ip tcp adjust-mss" from the tunnel interface. Configure "ip tcp adjust-mss" on other interface of the same / other device in the packets flow as needed.
- Decrease the total length of headers of packet containing the TCP packet.
E.g.:
- Remove VLAN on interface if possible.
- Use tunnel protection with transport mode instead of GRE and crypto map.
Further Problem Description
The problem occurs when the total size of all protocol headers within the packet exceeds 128 bytes.
