Knowledge Search


×
 

[ScreenOS] Does 'set flow all-tcp-mss' override 'set flow tcp-mss'?

  [KB7952] Show Article Properties


Summary:
This article provides information about the set flow all-tcp-mss configuration overriding the set flow tcp-mss configuration.
Symptoms:

When you have VPNs traffic and clear traffic, the following commands can help to prevent fragmentation of TCP traffic:

  • set flow tcp-mss (this command is for VPN TCP traffic)

  • set flow all-tcp-mss (this command is for Clear TCP Traffic)
Cause:

Solution:

No;  All-tcp-mss does not override tcp-mss. TCP-MSS is for VPN Traffic and All-tcp-mss is only for clear passthrough traffic.

You can  use the get flow command to check if the above commands are set or unset  and their values:

SSG520-> get flow(when mss has not been set)
flow action flag: 0094
flow GRE outbound tcp-mss is not set
flow GRE inbound tcp-mss is not set
flow change tcp mss option for all packets is not set
flow change tcp mss option for outbound vpn packets is not set
flow change tcp mss option for bi-directional vpn packets is not set
flow deny session disabled
TCP syn-proxy syn-cookie disabled
Log dropped packet disabled
Log auth dropped packet disabled
<return>

SSG520-> set flow tcp-mss 1200
SSG520-> set flow all-tcp-mss 1200
SSG520->

SSG520->
SSG520-> get flow(when mss has been set to 1200)
flow action flag: 0495
flow GRE outbound tcp-mss is not set
flow GRE inbound tcp-mss is not set
flow change tcp mss option for all packets = 1200
flow change tcp mss option for outbound vpn packets = 1200
flow change tcp mss option for bi-directional vpn packets is not set
flow deny session disabled
TCP syn-proxy syn-cookie disabled
Log dropped packet disabled
Log auth dropped packet disabled

Related Links: