Example: Accommodating End-to-End TCP Communication for J Series Services Routers

This example shows you how to change the maximum segment size (MSS) for TCP packets to be sent or received over GRE and IPsec tunnels.

• Requirements
• Overview
• Configuration
• Verification

Requirements

Before you begin:

Review TCP packets and security checks. See JUNOS Software Feature Support Reference for SRX Series and J Series Devices.

Overview

End-to-end TCP communication in a customer network might not work for large packets approaching 1500 bytes because of GRE or IPsec tunneling encapsulation. You can configure sessions to accommodate other systems and segment sizes.

Configuration

CLI Quick Configuration

To quickly change the maximum segment size (MSS) for TCP packets to be sent or received over GRE and IPsec tunnels, copy the following commands and paste them into the CLI:

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode.

To change the maximum segment size (MSS) for TCP packets to be sent or received over GRE and IPsec tunnels:

1. Set the TCP MSS to 1400 bytes for IPsec tunnel sessions and 1364 bytes for GRE tunnel sessions.
   
   

   [edit security flow]

   
   
   

   user@host# set tcp-mss ipsec-vpn mss 1400

   
   
   

   user@host# set tcp-mss gre-in mss 1364

   
   
   

   user@host# set tcp-mss gre-out mss 1364
2. Configure the TCP MSS to 1400 bytes for all TCP sessions.
   
   

   [edit security flow]

   
   
   

   user@host# set tcp-mss all-tcp 1400
3. Allow an unmatched incoming DNS reply packet.
   
   

   [edit security flow]

   
   
   

   user@host# set allow-dns-reply
4. Set the timeout value for route change to nonexistent route.
   
   

   [edit security flow]

   
   
   

   user@host# set route-change-timeout 62
5. Enable TCP SYN flood protection mode.
   
   

   [edit security flow]

   
   
   

   user@host# set syn-flood-protection-mode syn-proxy

Results

Confirm your configuration by entering the show security flow command from configuration mode. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

allow-dns-reply;
route-change-timeout 62;
syn-flood-protection-mode syn-proxy;
tcp-mss {
    all-tcp {
        mss 1400;
    }
    ipsec-vpn {
        mss 1400;
    }
    gre-in {
        mss 1364;
    }
    gre-out {
        mss 1364;
    }
}

If you are done configuring the device, enter commit from configuration mode.

Verification

To confirm that the configuration is working properly, perform these tasks:

• Troubleshooting with Logs

Troubleshooting with Logs

Purpose

Use these logs to identify any security flow issues.

Action

Enter these show log commands from operational mode.

Related Topics

• JUNOS Software Feature Support Reference for SRX Series and J Series Devices
• Example: Disabling TCP Packet Security Checks for J Series Services Routers
• Example: Controlling Session Termination for J Series Services Routers
• Understanding Session Characteristics for J Series Services Routers