Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

How is the MSS value calculated when 'set flow all-tcp-mss' is configured

0

0

Article ID: KB14290 KB Last Updated: 24 Jun 2009Version: 1.0
Summary:

How does 'set flow all-tcp-mss x'  work in various conditions

Symptoms:

Solution:

When the following command is configured in ScreenOS, how is the MSS value calculated?

     set flow all-tcp-mss x

If x >= MSS in the SYN or  the SYN/ACK, the firewall does not change the MSS.
If x < MSS in the SYN or the SYN/ACK, the firewall changes the MSS to x, i.e. it will modify the MSS field in the TCP header of the SYN or SYN-ACK packet with the value x.

Here are four senarios based on following topology

Host A----------ScreenOS firewall----------Host B
  1. MSS(A) > x > MSS(B), the negotiated tcp-mss is MSS(B)

  2. MSS(A) < x < MSS(B), the negotiated tcp-mss is MSS(A)

  3. MSS(A) > x and MSS(B) > x, the negotiated tcp-mss is x

  4. MSS(A) < x and MSS(B) < x, the negotiated tcp-mss is min(MSS(B), MSS(A))
Note that in scenario 4, the firewall will not change the TCP-MSS value in the TCP header of the SYN or SYN-ACK packet because the MSS configured on the firewall is bigger than both host endpoints.


Note:
  The command 'set flow tcp-mss' uses the same logic.


Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search