Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Configuring TCP MSS clamping on SRX devices to avoid unnecessary fragmentation

0

0

Article ID: KB30687 KB Last Updated: 30 Dec 2015Version: 1.0
Summary:

This article explains how to configure maximum segment size (MSS) clamping on the SRX and how it helps in reducing fragmentation of TCP traffic.

Symptoms:

It is very common in modern-day networks that different devices along the network path have different MTU values. Packets sized bigger than the MTU need to be fragmented when they are passed through. Fragmentation, in turn, causes latency in TCP transfers as it is an overhead on the end hosts as well as on the intermediate devices. Fragmentation also increases the number of TCP retransmissions as the loss of a fragment requires the whole packet to be retransmitted.

This article discusses how TCP MSS clamping helps in mitigating fragmentation in a TCP transfer. 

Topology:

host-machine-network >>>>>(mtu-1500) Router (mtu-1300)>>>>>>(mtu 1300)SRX(mtu 1500)>>>>>Internet
Solution:

TCP MSS is the maximum amount of data that a host can accept in a single TCP segment. During the TCP three-way handshake, the client and the server announce their respective TCP MSS values. During data transfer, the sender sends packets with TCP segments less than or equal to the MSS value announced by the receiver.

When TCP MSS is configured on the SRX, the firewall will intercept the TCP SYNC packets and change the MSS to the configured value.

To configure MSS clamping on the SRX:

#set security flow tcp-mss all-tcp mss <mss-value>
#commit

The following illustrations show the packet structure on the ingress and egress interfaces of an SRX configured with a TCP MSS value of 1200:

  1. The screen capture on the left shows a TCP MSS value of 1460 which was originally sent by the client, and the capture on the right shows the modified TCP MSS value of 1200 when it passed through the SRX.


  2. The screen capture on the right shows a TCP MSS value of 1460 that was the reply sent by the server, and the screen capture on the left shows the modified TCP MSS value of 1200 after it passed through the SRX.




    After the three-way handshake is complete, both the server and the client believe that the other end can only receive 1200 bytes as the maximum TCP segment size. 

    As a result, the maximum size of the IP packet (applied to TCP traffic only) would be 1240 bytes, which is less that the minimum MTU (1300) along the path, thus eliminating any unnecessary fragmentation.

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search