SRX

last person joined: 15 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  VPN Fragmentation

    Posted 05-02-2011 10:06

    Hi All,

     

       What is the command to see if fragmentation is occuring on a route based vpn connection between SRX devices.  I am pretty sure I had seen this somewhere but cannot find it.

     

    Also after setting the tcp-mss ipsec-vpn 1350 would one still need to change the MTU from 9000 on the ST0 interfaces.  Not doing as such causes huge speed issues.

     

    Thanks



  • 2.  RE: VPN Fragmentation

    Posted 05-02-2011 11:59

    Don't know if you can see the fragments without samplng packets but as far as I know, the MTU of the tunnel interface will only affect where fragmentation happens:

     

    - If the MTU is set to 9000, the entire packet will be encapsulated into IPSEC and then it will be sent out through the external interface. If it turns out that the packet is too large, it will be fragmented (if allowed by DF) and sent across the internet as two fragments. If fragmentation is not allowed (DF bit copied from original packet), ... [ no idea - to be investigated ]

     

    - If the MTU of the ST interface is set to something low enough, that will ensure that packets are fragmented before they are encapsulated into IPSEC. This means no fragments on the internet, which is a lot better as fragments tend to get lost in some parts of the world. If the original packet is too large and DF is set, you'll see an ICMP message going back to the client which will in turn lower its packet size.

     

     

    I've got tcp-mss and lower MTU set on my VPNs to prevent sending fragments onto the internet. Not only are they filtered in some places, but in one of the previous JunOS versions I was running (10.0r3 I think), there was a bug in the sequence number generation and the fragments were blocked by screening on the remote device. 🙂



  • 3.  RE: VPN Fragmentation

    Posted 05-03-2011 04:38

    Thanks for the response motd.

     

    One question thought.  Why would you need to set the tcp-mss ipsec-vpn if you set the mtu on the tunnel anyway.  What is the difference?



  • 4.  RE: VPN Fragmentation
    Best Answer

    Posted 05-03-2011 04:59

    tcp-mss prevents the client from generating packets that are too large, so fragmentation (or ICMP errors) won't happen.

     

    Basically, when a tcp session is set up, the two sides advertise their maximum segment size. If you enable tcp-mss on the SRX, it will change the advertised size to the one configured (should be MTU-40)