Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


tcp-mss (Security Flow)


Hierarchy Level


Configure TCP maximum segment size (TCP MSS) for the following packet types:

  • All TCP packets for network traffic.

  • GRE packets entering the IPsec VPN tunnel.

  • GRE packets exiting the IPsec VPN tunnel.

  • TCP packets entering the IPsec VPN tunnel.

If all the four TCP MSS options are configured simultaneously, then the order of preference is as follows:

  • If TCP packet enters an IPsec VPN tunnel, then an ipsec-vpn mss value has high priority over all-tcp mss value, hence ipsec-vpn mss value is set.

  • If TCP packet enters GRE , then gre-in mss value overrides all-tcp mss value, hence gre-in mss value is set.

  • If TCP packet exits GRE, then all-tcp mss value overrides gre-in mss value, hence all-tcp mss value is set.


The remaining statements are explained separately. See CLI Explorer.

Required Privilege Level

security—To view this in the configuration.

security-control—To add this to the configuration.

Release Information

Statement introduced in Junos OS Release 8.5.