Support Support Downloads Knowledge Base Service Request Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] What does 'set flow all-tcp-mss' and 'set flow tcp-mss' do?

0

0

Article ID: KB6346 KB Last Updated: 22 May 2019Version: 9.0
Summary:
This article provides information about the set flow all-tcp-mss and set flow tcp-mss commands.
Symptoms:
The set flow tcp-mss and set flow all-tcp-mss commands are applicable to change the MSS value with traffic via the firewall.
Solution:

The set flow tcp-mss and set flow all-tcp-mss commands can be used in cases, in which fragmentation can cause performance or communication problems. This will modify the maximum segment size (MSS) to a low enough value that is below the Maximum Transmission Unit (MTU), so that fragmentation will not occur.

A packet with the payload size, plus all associated overhead, must not exceed the MTU. Otherwise, fragmentation will occur. The overhead can include MAC headers, Ethernet headers, CRC, encryption, and PPPoE.

The set flow all-tcp-mss command is applicable to clear-text traffic, whereas the set flow tcp-mss command is applicable to only VPN traffic. In other words, set flow tcp-mss can be used to change the MSS value for the SYN packet of the TCP handshake within the Tunnel and set flow all-tcp-mss can be used to change the MSS value for the SYN packet of the TCP handshake outside the tunnel; that is clear text traffic.

TCP-MSS Functionality


The set flow tcp-mss command is applicable for only VPN traffic. It affects only the firewall that performs the encrypting. For example, with the following topology:
PC-A -----FW1--------VPN TUNNEL-----------FW2--------PC-B
Only FW2 is set with this command:
FW2-> set flow tcp-mss 1350

 

Then, if the session is established from PC-A to PC-B, PC-A sends the SYN packet via the tunnel. FW1 does not change the TCP-MSS setting. When the packet is received by FW2, the TCP-MSS setting will not be changed, as the packet is already decrypted. In other words, the TCP-MSS setting will be changed, only if the command is set on the firewall on which the packet is encrypted; not on the firewall on which the packet is being decrypted.

If you want to change the MSS setting for the sessions that originate from PC-A via the tunnel, then set flow tcp-mss 1350 has to be set on FW1.

Note: from ScreenOS 6.1 or later, the 'set flow vpn-tcp-mss <number>' new CLI command was introduced to set the MSS value for all TCP SYN packets for both outbound and inbound VPN traffic.
 

ALL-TCP-MSS Functionality

 

The set flow all-tcp-mss command is required when using PPPoE, as PPPoE adds considerable overhead and fragmentation will occur, if this command is not enabled. In certain instances, a router may not be handling fragmentation properly.  In these instances, the set flow all-tcp-mss may help. 

For example, when accessing a web site and not all images are displayed, this symptom could be due to fragmentation.  Applying the set flow all-tcp-mss command can resolve this issue.

Note: 'set flow all-tcp-mss' settings are applied to only clear traffic. It is bi-directional; so the MSS value in the SYN packet is modified for the clear traffic.

For example, in the above scenario/topology, assume that the following command is also added to FW2:

FW2-> set flow all-tcp-mss 1350

Then, when PC-A establishes a session with PC-B, FW2 will change the TCP-MSS setting for the sessions that originate from PC-A to PC-B, as it is applicable to the packet, after it is decrypted.

Note: The 'set tcp mss' command (without the 'flow' parameter) is applicable to the TCP/IP stack of the firewall and communication from/to the firewall; that is management of the firewall.
Modification History:
2019-05-22: Content reviewed for accuracy.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Security Alerts and Vulnerabilities

Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search