Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] How to change the MSS of TCP traffic passing through an IPsec VPN

0

0

Article ID: KB30688 KB Last Updated: 22 Apr 2020Version: 2.0
Summary:

This article describes how to change the maximum segment size (MSS) of the TCP traffic passing through an IPsec tunnel and thus mitigate fragmentation.

Symptoms:

When traffic passes through an IPsec VPN, TCP traffic might be fragmented, as the original TCP MSS did not take IPsec overhead into account. TCP fragmentation will cause undesired latency and throughput performance issues. This article discusses how to modify the corresponding TCP MSS values, which would help mitigate fragmentation.

Please note that the modification of the TCP MSS can only be done at the terminating point of the IPsec VPN.

Topology:

Host machine A---------> SRX 1 ------------VPN ----------SRX 2-------->Host machine B
Solution:

When the TCP MSS is configured as shown below, SRX will intercept the TCP SYNC packets going into an IPsec tunnel and change the MSS to the supplied value.

To configure the MSS for TCP traffic entering an IPsec VPN:

#set security flow tcp-mss ipsec-vpn mss <MSS-value>
#commit

The following graphic shows the packet structure on the ingress interface (interface connected to host-machine A) of SRX 1 which has been configured with a TCP MSS of 1200 for IPsec VPN traffic:

 

The following graphic shows the packet structure on the egress interface (interface connected to host-machine B) of SRX 2:

As shown in the graphic, the MSS for the TCP SYNC packet has been changed to 1200, as configured on SRX1.

Please note that the TCP MSS can be modified only at the encrypting side. TCP MSS configured on the decrypting device will not modify the TCP MSS decrypted.

In our example, the TCP MSS in the TCP SYNC packet traversing from host-machine A to host-machine B is modified by SRX 1 and not by SRX 2. Similarly, the TCP MSS for the packets traversing from host-machine B to host-machine A can be modified by SRX 2 and not by SRX 1.

Modification History:
2020-04-17: Article reviewed for accuracy; no changes required.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search