Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[MX] How to modify the TCP MSS on the CE facing interface

0

0

Article ID: KB24352 KB Last Updated: 01 Jun 2012Version: 1.0
Summary:
This article provides information on how to modify the TCP MSS on the CE facing interface with MS-PIC/MS-DPC.
Symptoms:
How to modify the TCP MSS on the CE facing interface with MS-PIC/MS-DPC.
Cause:
 
Solution:

In certain scenarios, you need to modify the TCP MSS to avoid unnecessary fragmentation or drop, due to the DF bit, such as a GRE tunnel on the path. 

Here is an example of how to modify the TCP MSS on the CE facing interface in a L3 VPN scenario (you must have a MS-PIC/MS-DPC on PE1): 

Topology

[CE1] --- [PE1] ---(GRE)--- [P] --- [PE2] --- [CE2]    


Configuration on PE1: 

  1. Assign a specific service interface for each VRF:
    interfaces {
         sp-8/1/0 {
             unit 1 {
                 family inet;
             }
         }
    }  

  2. Configure the service set to modify the TCP MSS:
    service-set tcp-mss {
         tcp-mss 1380;
         stateful-firewall-rules Permit-all;
         interface-service {
             service-interface sp-8/1/0.1;
         }
    }
    stateful-firewall {
         rule Permit-all {
             match-direction input-output;
             term 1 {
                 then {
                     accept;
                 }
             }    
         }
    } 
    

  3.  Apply the service interface to the VRF:

    routing-instances {
         PE1 {
             instance-type vrf;
             interface gr-0/0/0.0;  <<<<<< PE-P interface
             interface sp-8/1/0.1;
             route-distinguisher 100:100;
             vrf-target target:100:100;
             vrf-table-label;
         }
    } 
    

  4. Configure the service filter to skip the irrelevant traffic:

      firewall {
         family inet {
             service-filter mss-filter{
                 term 0 {
                     from {
                         protocol tcp;
                         tcp-flags syn;
                     }
                     then {
                         service;
                     }
                 }
                 term 1 {
                     then skip;
                 }
             }
         }
    } 
    

  5. Apply the service set to the CE facing interface:

    interfaces {
         gr-0/0/0 {
             unit 0 {
                 family inet {
                     service {
                         input {
                             service-set tcp-mss service-filter mss-filter;
                         }
                         output {
                             service-set tcp-mss service-filter mss-filter;
                         }
                     }
                     address 173.26.6.2/30;
                 }
             }
         }
    }  
    


Here is the command to check the service on PE:

> show services service-sets statistics tcp-mss 
Interface   Service Set       SYN Received  SYN Modified
sp-8/1/0    tcp-mss                2             2 


The TCP MSS can also be checked on the client's TCP session (if it is a Juniper router). Here is an telnet example:

> show system connections extensive | find 173.26.6.1 
tcp4 0 0 173.26.3.1.60786 173.26.6.1.23 ESTABLISHED
sndsbcc: 0 sndsbmbcnt: 0 sndsbmbmax: 262656
sndsblowat: 2048 sndsbhiwat: 32832
rcvsbcc: 0 rcvsbmbcnt: 0 rcvsbmbmax: 525312
rcvsblowat: 1 rcvsbhiwat: 65664
proc id: 37257 proc name: telnet
iss: 4188466145 sndup: 4188466285
snduna: 4188466285 sndnxt: 4188466285 sndwnd: 65664
sndmax: 4188466285 sndcwnd: 12588 sndssthresh: 1073725440
irs: 3029526212 rcvup: 3029526369
rcvnxt: 3029526376 rcvadv: 3029592040 rcvwnd: 65664
rtt: 0 srtt: 66 rttv: 22
rxtcur: 1200 rxtshift: 0 rtseq: 4188466279
rttmin: 1000 mss: 1368
flags: REQ_SCALE RCVD_SCALE REQ_TSTMP RCVD_TSTMP SACK_PERMIT [0x120003e0]
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search