Problem description: When the SSG series firewalls of Juniper can access each other through VPN dial-in or direct mutual access between different network segments, sometimes PING can be reached, but the service cannot be accessed, such as WEB and shared files. Problem Analysis: These problems are often caused by the identification of data packet fragments by devices during data transmission. Generally, data packets are too large and need to be split, while the peer end does not support large fragments, therefore, the firewall rejects the packet. The packet here generally refers to the TCP/IP package. Solution: After the Set Flow Path-MTU command is enabled, the firewall will send a message "Destination unreachable-fragmentation required" after a large packet arrives at the firewall, tell the peer that this packet cannot be connected because it is too large to shard. When the active party receives this information, it will reduce its MTU value set flow all-tcp-mss number ), so that it can pass through the firewall smoothly. The following two commands are used to modify the maximum segment size (MSS) during data transmission so that it is lower than the MTU value, so that packets can pass through the firewall smoothly.Set flow tcp-mss Used to modify the VPN traffic Set flow all-tcp-mss Used to modify plaintext data streams TCP-MSS Functionality The commandSet flow tcp-mssAppliesVPN traffic only.Note that it only affects the firewall that does the encrypting. For example, given the following topology: PC-A ----- FW1--------VPN TUNNEL-----------FW2--------PC-B Only FW2 is set with this command: FW2-> set flow tcp-mss 1350 Then, if the session is established from PC-A to PC-B, PC-A sends the SYN packet via the tunnel. FW1 does not change the TCP-MSS setting. when the packet is wrongly ed by the FW2, the TCP-MSS setting will not be changed since the packet is already decrypted. in other words, the TCP-MSS setting will only be changed if the command is set on the firewall where the packet is encrypted, not on the firewall where the packet is getting decrypted. If you want to change the MSS setting for the sessions originating from the PC-A through the tunnel, then set flow tcp-mss 1350 has to be set in the FW1 ALL-TCP-MSS Functionality The commandSet flow all-tcp-mssIs required when using PPPoE, as PPPoE adds considerable overhead, and fragmentation will occur if the set flow all-tcp-mss command is not enabled. there are also some instances where a router may not be handling fragmentation properly. in these instances,Set flow all-tcp-mssMay help. For example, if accessing a web site, and not all images are drawn, this symptom cocould be due to fragmentation. ApplyingSet flow all-tcp-mssCan resolve this issue.
Note that set flow all-tcp-mss settings apply only toClearTraffic. It is bi-directional and hence modifying the MSS value in the SYN packet for the clear traffic.
For example, in the above scenario/topology, let's say the following command is also added to FW2:
FW2-> set flow all-tcp-mss 1350
Then, when PC-A establishes a session with PC-B, FW2 will change the TCP-MSS setting for the sessions originating from PC-A to PC-B, because it applies to the packet after it is decrypted.
This article is from the genisystem blog, please be sure to keep this source http://genisystem.blog.51cto.com/39344/368740