Configurations on Cisco ASA/FTD device

This section details the configurations you need to carry on Cisco ASA/FTD version 9.8 or later version using the details from the Analyze > Tunnels page in Forcepoint ONE SSE.



Important: The Edge device (router or firewall) at the customer must be configured to send only web traffic on TCP ports 80 and 443 over the tunnel to the Cloud-SWG. All other traffic should be routed direct to the internet. If traffic over any other ports is sent over the tunnel, it will be discarded.
Note: This document shows an example environment for information and guidance only. While every effort has been made to ensure the accuracy of this information, you are strongly advised to consult the latest documentation for your edge device and test your configuration thoroughly. For detailed information on Cisco ASA, refer to the Cisco ASA Documentation.

Maximum segment size (MSS)

The encapsulation overhead of the IPsec tunnel means that TCP sessions sent over the tunnel must be limited to a lower Maximum Segment Size (MSS) than usual. Most TCP clients will propose an MSS value of 1460 bytes when connecting over an Ethernet network.

Forcepoint ONE SSE recommends setting an MSS value of no more than 1360 bytes in order to leave overhead for IPsec encapsulation. This can often be achieved by using the MSS clamping feature of a firewall or router, to ensure that any TCP traffic sent down the tunnel is limited to an MSS value of 1360.

Where the WAN connection to the Forcepoint data center is using the IPoE or PPPoE protocol, the MSS value may need to be lower still, to account for the encapsulation overhead of the WAN connection.

To display the current MSS setting for your tunnel interface, use the appropriate show interface command on your edge device.