The maximum segment size (MSS) is the maximum TCP payload a TCP packet can carry, unidirectionally.
When two hosts bring up a TCP connection, in the TCP SYN they include the TCP option for maximum segment size, which usually 1460.
Maximum segment size is like MTU, except it is minus the TCP and IP headers.
Let’s take the default IP MTU for example of 1500. We know that without options, the IP header is 20 bytes, so 1500-20 is 1480.
Now recall I just said that the MSS is the payload minus IP AND TCP headers, so we need to remove the TCP headers as well, 1480 – 20 = 1460.
Thus the maximum segment size of 1460. If we have smaller links than hosts choose their MSS based in the interface MTU, they do their own calculations.
This is why fixing the MTU on a host is a lot easier than performing other tricks like clamping the MSS.
Now that leads us to our next point, the posibility of clamping the maximum segment size is a popular technique for routers and firewalls to fix MTU and fragmentation issues.
Of course this only works on TCP connections (IPv4 or IPv6) because UDP does not have an MSS. A router along the path can be configured with “ip tcp adjust-mss <MSS VALUE>”
and when it sees a TCP syn pass with the MSS option in the options header, it will silently edit the MSS and pass it along. This allows the router or firewall along the path to fix all
incoming and outgoing TCP connection’s MSS.
The alternative on Cisco ASA’s is to configure “sysopt connection tcp-mss maximum <MSS VALUE>”