Accommodating End-to-End TCP Communication

End-to-end TCP communication in a customer network might not work for large packets approaching 1500 bytes because of GRE or IPsec tunneling encapsulation. You can use the set security flow command to change the maximum segment size (MSS) for TCP packets to be sent or received over GRE and IPsec tunnels.

• The following set security flow commands set the TCP MSS to 1400 bytes for IPsec tunnel sessions and 1364 bytes for GRE tunnel sessions:

  set security flow tcp-mss ipsec-vpn mss 1400

  set security flow tcp-mss gre-in mss 1364

  set security flow tcp-mss gre-out mss 1364

  The following command configures the TCP MSS to 1400 bytes for all TCP sessions.

  set security flow tcp-mss all-tcp 1400

• The following command allows an unmatched incoming DNS reply packet:

  set security flow allow-dns-reply

• The following command sets the timeout value for route change to nonexistent route:

  set security flow route-change-timeout

• The following command enables TCP SYN flood protection mode:

  set security flow syn-flood-protection-mode

You can use other set security flow commands to accommodate other systems. For syntax information, see the JUNOS Software CLI Reference.

Copyright © 2009, Juniper Networks, Inc. All rights reserved. Trademark Notice.