This article describes how to change the maximum segment size (MSS) of the TCP traffic passing through an IPsec tunnel and thus mitigate fragmentation.

When traffic passes through an IPsec VPN, TCP traffic might be fragmented, as the original TCP MSS did not take IPsec overhead into account. TCP fragmentation will cause undesired latency and throughput performance issues. This article discusses how to modify the corresponding TCP MSS values, which would help mitigate fragmentation.

Please note that the modification of the TCP MSS can only be done at the terminating point of the IPsec VPN.

Topology:

Host machine A---------> SRX 1 ------------VPN ----------SRX 2-------->Host machine B

When the TCP MSS is configured as shown below, SRX will intercept the TCP SYNC packets going into an IPsec tunnel and change the MSS to the supplied value.

To configure the MSS for TCP traffic entering an IPsec VPN:

The following graphic shows the packet structure on the ingress interface (interface connected to host-machine A) of SRX 1 which has been configured with a TCP MSS of 1200 for IPsec VPN traffic:

 

The following graphic shows the packet structure on the egress interface (interface connected to host-machine B) of SRX 2:

As shown in the graphic, the MSS for the TCP SYNC packet has been changed to 1200, as configured on SRX1.

Please note that the TCP MSS can be modified only at the encrypting side. TCP MSS configured on the decrypting device will not modify the TCP MSS decrypted.

In our example, the TCP MSS in the TCP SYNC packet traversing from host-machine A to host-machine B is modified by SRX 1 and not by SRX 2. Similarly, the TCP MSS for the packets traversing from host-machine B to host-machine A can be modified by SRX 2 and not by SRX 1.

2020-04-17: Article reviewed for accuracy; no changes required.