Example: Accommodating End-to-End TCP Communication for J Series Services Routers

This example shows how to change the maximum segment size (MSS) for TCP packets to be sent or received over GRE and IPsec tunnels.

Requirements

Before you begin, review TCP packets and security checks. See Junos OS Feature Support Reference for SRX Series and J Series Devices.

Overview

End-to-end TCP communication in a customer network might not work for large packets approaching 1500 bytes because of GRE or IPsec tunneling encapsulation. You can configure sessions to accommodate other systems and segment sizes.

Configuration

CLI Quick Configuration

To quickly change the MSS for TCP packets to be sent or received over GRE and IPsec tunnels, copy the following commands and paste them into the CLI:

[edit ]
set security flow tcp-mss ipsec-vpn mss 1400
set security flow tcp-mss gre-in mss 1364
set security flow tcp-mss gre-out mss 1364
set security flow tcp-mss all-tcp 1400
set security flow allow-dns-reply
set security flow route-change-timeout 62
set security flow syn-flood-protection-mode syn-proxy

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode.

To change the MSS for TCP packets to be sent or received over GRE and IPsec tunnels:

  1. Set the tunnel sessions.
    [edit security flow]
    user@host# set tcp-mss ipsec-vpn mss 1400
    user@host# set tcp-mss gre-in mss 1364
    user@host# set tcp-mss gre-out mss 1364
  2. Configure TCP MSS for all TCP sessions.
    [edit security flow]
    user@host# set tcp-mss all-tcp 1400
  3. Allow an unmatched incoming DNS reply packet.
    [edit security flow]
    user@host# set allow-dns-reply
  4. Set the timeout value for route change to nonexistent route.
    [edit security flow]
    user@host# set route-change-timeout 62
  5. Enable TCP SYN flood protection mode.
    [edit security flow]
    user@host# set syn-flood-protection-mode syn-proxy

Results

From configuration mode, confirm your configuration by entering the show security flow command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.


[edit]

user@host# show security flow
allow-dns-reply;
route-change-timeout 62;
syn-flood-protection-mode syn-proxy;
tcp-mss {
    all-tcp {
        mss 1400;
    }
    ipsec-vpn {
        mss 1400;
    }
    gre-in {
        mss 1364;
    }
    gre-out {
        mss 1364;
    }
}

If you are done configuring the device, enter commit from configuration mode.

Verification

To confirm that the configuration is working properly, perform this task:

Troubleshooting with Logs

Purpose

Use these logs to identify any issues.

Action

From operational mode, enter the show log messages command and the show log dcd command.

Related Topics

Copyright© 1999-2010 Juniper Networks, Inc. All rights reserved.