Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] Does 'set flow all-tcp-mss' override 'set flow tcp-mss'?

0

0

Article ID: KB7952 KB Last Updated: 14 Dec 2017Version: 5.0
Summary:
This article provides information about the set flow all-tcp-mss configuration overriding the set flow tcp-mss configuration.
Symptoms:

When you have VPN traffic and clear traffic, the following commands can help to prevent fragmentation of TCP traffic:

  • set flow tcp-mss (this command is for VPN TCP traffic)

  • set flow all-tcp-mss (this command is for Clear TCP Traffic)
Solution:

All-tcp-mss does not override tcp-mss. Tcp-mss is for VPN Traffic and All-tcp-mss is only for clear passthrough traffic.

You can  use the get flow command to check if the above commands are set or unset  and their values:

SSG520-> get flow(when mss has not been set)
flow action flag: 0094
flow GRE outbound tcp-mss is not set
flow GRE inbound tcp-mss is not set
flow change tcp mss option for all packets is not set
flow change tcp mss option for outbound vpn packets is not set
flow change tcp mss option for bi-directional vpn packets is not set
flow deny session disabled
TCP syn-proxy syn-cookie disabled
Log dropped packet disabled
Log auth dropped packet disabled
<return>

SSG520-> set flow tcp-mss 1200
SSG520-> set flow all-tcp-mss 1200
SSG520->

SSG520->
SSG520-> get flow(when mss has been set to 1200)
flow action flag: 0495
flow GRE outbound tcp-mss is not set
flow GRE inbound tcp-mss is not set
flow change tcp mss option for all packets = 1200
flow change tcp mss option for outbound vpn packets = 1200
flow change tcp mss option for bi-directional vpn packets is not set
flow deny session disabled
TCP syn-proxy syn-cookie disabled
Log dropped packet disabled
Log auth dropped packet disabled

Modification History:
2017-12-07: Article reviewed for accuracy. Minor grammatical changes. Rest of the Article is correct and complete.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search