SRX

last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  Changing TCP MSS on SRX

    Posted 06-27-2014 00:14

    Hi all,

     

    I want to change TCP MSS on SRX3600 for tunnel sp interfaces. As I now I can't do that for some interface (e.g. st0.100).

    For all packets entering IPSec tunnels to enable MSS override I want to use this command:

     

    set security flow tcp-mss ipsec-vpn mss 1340

     

    IP MTU is 1400, therefore I want to set TCP MSS to 1340.

     

    So If I use that command in SRX which is now working in production, can that interrupt tunnels?

     

    Thanks



  • 2.  RE: Changing TCP MSS on SRX
    Best Answer

    Posted 06-27-2014 01:27

    Hi,

     

    Changing the TCP-MSS will not cause any interruption.  What will happen is that any new sessions after the change traversing the VPN will have the new MSS value in their initial SYN packet.



  • 3.  RE: Changing TCP MSS on SRX

    Posted 06-27-2014 01:41

    Dear 



  • 4.  RE: Changing TCP MSS on SRX

    Posted 06-27-2014 01:44

    MSS is only negotiated during the 3-Way Handshake, so existing sessions will just continue as normal until they end.



  • 5.  RE: Changing TCP MSS on SRX

    Posted 09-07-2016 07:52

    This command is going to change the value Globally?  Is there any way we can change it to the specific tunnel?



  • 6.  RE: Changing TCP MSS on SRX

    Posted 09-08-2016 15:24

    Yes, this is a global command for all ipsec traffic.

     

    No, there is no per tunnel or tunnel interface setting available.

     

    https://kb.juniper.net/InfoCenter/index?page=content&id=KB30688