Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

tcp-mss (Security Flow)

Syntax

Hierarchy Level

Description

Configure TCP maximum segment size (TCP MSS) for the following packet types:

  • All TCP packets for network traffic.

  • GRE packets entering the IPsec VPN tunnel.

  • GRE packets exiting the IPsec VPN tunnel.

  • TCP packets entering the IPsec VPN tunnel.

If all the four TCP MSS options are configured simultaneously, then the order of preference is as follows:

  • If TCP packet enters an IPsec VPN tunnel, then an ipsec-vpn mss value has high priority over all-tcp mss value, hence ipsec-vpn mss value is set.

  • If TCP packet enters GRE , then gre-in mss value overrides all-tcp mss value, hence gre-in mss value is set.

  • If TCP packet exits GRE, then all-tcp mss value overrides gre-in mss value, hence all-tcp mss value is set.

TCP MSS may not override in GRE over IPsec (GREoIPsec) scenarios. Consequently, there may be more fragmentation in the network as GREoIPsec traffic isn’t modified for TCP MSS. To ensure that TCP MSS works with GREoIPsec, set the priority of MSS applied to the TCP traffic in the following order (highest to lowest):

  1. gre-in

  2. gre-out based on direction of the GREoIPSec TCP traffic

  3. ipsec-vpn for GREoIPsec

  4. IPsec traffic

  5. all-tcp for all the TCP traffic.

Options

The remaining statements are explained separately. See CLI Explorer.

Required Privilege Level

security—To view this in the configuration.

security-control—To add this to the configuration.

Release Information

Statement introduced in Junos OS Release 8.5.

Related Documentation