Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] How to enable Jumbo frames to reassemble fragmented ESP packets

0

0

Article ID: KB21816 KB Last Updated: 13 Jan 2014Version: 2.0
Summary:

Fragmented ESP packets (Protocol 50) are reassembled and forwarded as per the jumbo size MTU, when the jumbo frame is enabled (set envar max-frame-size=9830). This article explains how to reassemble them.

Symptoms:
ISG=========-eth2/2[ns5400]eth2/5==========eth5/0[ssg550]
  • NS-5400 is acting as the passthrough for ESP packets.

  • Only the NS-5400 has Jumbo Frame support enabled.

  • ISG and SSG firewalls are configured with MTU size of 1500 bytes.

With Jumbo Frames disabled on the NS-5400, fragmented ESP packets are forwarded and their destination is reached.  

With Jumbo Frames enabled on the NS-5400, the firewall reassembles the ESP packets and then forwards the packet with the size greater than the adjacent device's MTU (1500); so the packet is dropped.

With set envar max-frame-size=9830

SSG receives and drops the reassembled ESP packet, since the packet size is greater than the MTU of 1500 bytes:

00397.0: ethernet5/0(i) len=1518:0010db8f2bcb->001122334455/0800
              10.10.10.249 -> 11.11.11.50/50
              vhl=45, tos=00, id=32965, frag=0000, ttl=62 tlen=1504
              esp:spi 3698861298

****** 00397.0: <Trust/ethernet5/0> packet received [1504]******
  ipid = 32965(80c5), @2d558910
  packet dropped, err ip len
Without max-frame-size=9830:

SSG receives the fragmented ESP packets and continues to forward them to their destination.

00679.0: ethernet5/0(i) len=786:0010db8f2bcb->001122334455/0800
              10.10.10.249 -> 11.11.11.50/50
              vhl=45, tos=00, id=32965, frag=2000, ttl=62 tlen=772
              frag offset=0 more fragment=1
              esp:spi 3698861298


00679.0: ethernet5/0(i) len=766:0010db8f2bcb->001122334455/0800
              10.10.10.249 -> 11.11.11.50/50
              vhl=45, tos=00, id=32965, frag=005e, ttl=62 tlen=752
              frag offset=752 more fragment=0
Cause:

Solution:

The following workarounds are necessary:

  1. Remove the Jumbo Frame size setting (unset env max-frame-size), so that the ISG/NS-5000 firewall will use the MTU of 1500 bytes.

  2. Enable the Jumbo Frame support end-to-end, so that the adjacent device is also able to handle Jumbo Frames.

  3. Prevent the ESP packets from fragmenting in the first place:

Setting the TCP MSS for VPN traffic. 

                                         set flow tcp-mss <mss value>

Setting the Path MTU for VPN traffic.

                                          set flow path-mtu

Note: The destination device receiving this packets might not be able to handle this packets as its interface MTU might be set to process normal packets.


Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search