Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

header-integrity-check

Syntax

Hierarchy Level

Description

Configure Junos OS to verify the packet header for anomalies in IP, TCP, UDP, and ICMP information and to flag such anomalies and errors.

Starting in Junos OS release 17.1R1, the header integrity check on the MS-MPC or MS-MIC drops any packets with header anomalies and includes the following checks:

  • ICMP ping of death

  • IP unknown protocol

  • TCP no flag

  • TCP SYN FIN

  • TCP FIN no ACK

Note:

The header-integrity-check option that is supported on MS-MICs and MS-MPCs to verify the packet header for anomalies in IP, TCP, UDP, and ICMP information and flag such anomalies and errors has a functionality that is opposite to the functionality caused by passive mode tunneling. If you configure both the header-integrity-check statement and the passive-mode tunneling statement on MS-MICs and MS-MPCs, and attempt to commit such a configuration, an error is displayed during commit.

The passive mode tunneling functionality (by including the passive-mode-tunnelin statement at the [edit services service-set service-set-name ipsec-vpn-options] hierarchy level) is a superset of the capability to disable IPsec tunnel endpoint in the traceroute output (by including no-ipsec-tunnel-in-traceroute statement at the [edit services ipsec-vpn] hierarchy level). Passive mode tunneling also bypasses the active IP checks and tunnel MTU check in addition to not treating an IPsec tunnel as a next-hop as configured by the no-ipsec-tunnel-in-traceroute statement.

Required Privilege Level

interface—To view this statement in the configuration.

interface-control—To add this statement to the configuration.

Release Information

Statement introduced in Release 13.2.

Related Documentation