Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] IP fragmentation and deny fragment screen option

0

0

Article ID: KB5953 KB Last Updated: 03 Apr 2019Version: 4.0
Summary:
Effect of IP fragmentation and deny fragment screen option
Symptoms:
  • OSPF failed to established adjacency
  • Certificate based IPSEC VPN failed phase 1 when using 2048 bits key length
  • The deny fragment option was turn on on the untrust zone
Solution:

The IP fragmentation and Deny Fragment Screen options can have some adverse affects on some functions on the NetScreen. The following functions are affected by enabling the deny fragment screen option:

  1. OSPF fails to establish an adjacency
  2. Certificate-based IPSec VPN will fail Phase 1 if using 2048 bit key length

Workaround: Disable the deny fragment screen option. This screen option is off by default.

For example: To disable the deny fragment option from the CLI,

Lab-> unset zone Untrust screen block-frag [Enter]


To check the current screen setting:

Lab-> get zone untrust screen          
Tear-drop Attack Protection     on       
SYN Flood Protection(200)       on       
        Alarm  Threshold: 1024
        Queue  Size     : 10240
        Timeout Value   : 20
        Source Threshold: 4000
        Destination Threshold: 40000
        Drop unknown mac (xparent mode only): no
Ping-of-Death Protection        on       
Source Route IP Option Filter   on       
Land Attack Protection          on       
Block Fragment Traffic          on

       

 

Modification History:
2019-03-29: minor non-technical edits. Content reviewed for accuracy.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search