Example: Setting the Maximum Segment Size for All TCP Sessions for SRX Series Services Gateways

This example shows how to set the maximum segment size for all TCP sessions for SRX Series devices.

• Requirements
• Overview
• Configuration
• Verification

Requirements

Before you begin, understand the circumstances for setting the maximum segment size. See Understanding Session Characteristics for SRX Series Services Gateways.

Overview

You can terminate all TCP sessions by changing the TCP maximum segment size (TCP-MSS). To diminish the likelihood of fragmentation and to protect against packet loss, you can use the tcp-mss statement to specify a lower TCP MSS value. This statement applies to all IPv4 TCP SYN packets traversing all the router’s ingress interfaces whose MSS value is higher than the one you specify.

If the DF bit is set, it will not fragment the packet and Junos OS will send ICMP error type 3 code 4 packet to the application server (Destination Unreachable; Fragmentation Needed and DF set). This ICMP error message contains the correct MTU (as defined in tcp-mss) to be used by the application server, which should receive this message and adjust the packet size accordingly. This is specifically required with VPN’s since IPsec has added packet overhead, thus tcp-mss has to be lowered appropriately.

Configuration

Step-by-Step Procedure

To configure the maximum segment size for all TCP sessions:

1. Set the TCP maximum segment size for all TCP sessions.

   [edit security flow]user@host# set tcp-mss all-tcp mss 1300
2. If you are done configuring the device, commit the configuration.
   [edit ]user@host# commit

Verification

To verify the configuration is working properly, enter the show security flow command.

Related Topics

• Junos OS Feature Support Reference for SRX Series and J Series Devices
• Example: Controlling Session Termination for SRX Series Services Gateways
• Example: Disabling TCP Packet Security Checks for SRX Series Services Gateways