Supported Platforms
Related Documentation
- LN, SRX Series
- Example: Controlling Session Termination for SRX Series Services Gateways
- Example: Disabling TCP Packet Security Checks for SRX Series Services Gateways
- Additional Information
- Flow-Based Processing Feature Guide for Security Devices
Example: Setting the Maximum Segment Size for All TCP Sessions for SRX Series Services Gateways
This example shows how to set the maximum segment size for all TCP sessions for SRX Series devices.
Requirements
Before you begin, understand the circumstances for setting the maximum segment size. See Understanding Session Characteristics for SRX Series Services Gateways.
Overview
You can terminate all TCP sessions by changing the TCP maximum segment size (TCP-MSS). To diminish the likelihood of fragmentation and to protect against packet loss, you can use the tcp-mss statement to specify a lower TCP MSS value. This statement applies to all TCP SYN packets traversing the router’s ingress interfaces whose MSS value is higher than the one you specify.
If the DF bit is set, it will not fragment the packet and Junos OS will send ICMP error type 3 code 4 packet to the application server (Destination Unreachable; Fragmentation Needed and DF set). This ICMP error message contains the correct MTU (as defined in tcp-mss) to be used by the application server, which should receive this message and adjust the packet size accordingly. This is specifically required with VPNs, as IPsec has added packet overhead; thus tcp-mss must be lowered appropriately.
 | Note: When running SRX Series and J Series devices in packet mode, you use the set system internet-options tcp-mss statement to adjust the TCP-MSS value. All ports are affected by the TCP-MSS configuration; you cannot exclude a particular port. When running SRX Series and J Series devices in flow mode, although you can use the set system internet-options tcp-mss statement, we recommend using only the set security flow tcp-mss statement to adjust the TCP-MSS value. If both statements are configured, the lower of the two values will take effect. |
Configuration
Step-by-Step Procedure
To configure the maximum segment size for all TCP sessions:
Set the TCP maximum segment size for all TCP sessions.
[edit security flow]user@host# set tcp-mss all-tcp mss 1300- If you are done configuring the device, commit the configuration.[edit ]user@host# commit
Results
From configuration mode, confirm your configuration by entering the show security flow command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.
For brevity, this show command output includes only the configuration that is relevant to this example. Any other configuration on the system has been replaced with ellipses (...).
Verification
To verify the configuration is working properly, enter the show configuration security flow command from operational mode.
Related Documentation
- LN, SRX Series
- Example: Controlling Session Termination for SRX Series Services Gateways
- Example: Disabling TCP Packet Security Checks for SRX Series Services Gateways
- Additional Information
- Flow-Based Processing Feature Guide for Security Devices
Modified: 2016-04-18
Supported Platforms
Related Documentation
- LN, SRX Series
- Example: Controlling Session Termination for SRX Series Services Gateways
- Example: Disabling TCP Packet Security Checks for SRX Series Services Gateways
- Additional Information
- Flow-Based Processing Feature Guide for Security Devices
