SRX Services Gateway
Reply
Contributor
TheEvilMuppet
Posts: 11
Registered: ‎05-29-2008
0

SRX <-> Cyberoam IPSEC large packet issues

Hi all,

 

We have an SRX240 cluster happily routing traffic and terminating a route-based VPN between itself and an SSG 140 cluster without issue. Inter-zone traffic is passed without an issue, as is traffic that enters and exits the SRX<->SSG tunnel.

 

At our office, we have a Cyberoam ia50 that we have various policy-based VPNs terminated on. We've had no issues for VPNs between the SSG 140 cluster and this Cyberoam device in the past but the same cannot be said for the Cyberoam<->SRX tunnel that has been set up.

 

The tunnel itself comes up without issue and small packet traffic flows without an issue as does ICMP traffic between 64 and 1500 bytes in size. When attempting to push larger packets of TCP traffic though, traffic flow for the particular TCP session ceases to flow.

 

This behaviour manifests in both directions, and setting flow trace options for dropped packets reveals no drops whatsoever. MTUs on both sides of the link have been checked and confirmed to be properly configured and this issue only occurs for this combination of devices.

 

Any assistance in terms of debug or experience greatly appreciated.

 

Recognized Expert
JunOS_Fan
Posts: 241
Registered: ‎02-13-2012
0

Re: SRX <-> Cyberoam IPSEC large packet issues

Hi,

 

Have you configured  tcp-mss for IPsec traffic to eliminate the possibility of fragmented TCP traffic ?

 

set security flow tcp-mss ipsec-vpn mss 1350

 

 (you can use this value as starting point and try further reducing if it does not help)

Best regards
Pradeep (JNCIP-SEC,ENT,SP)
www.networker.co.in
Contributor
TheEvilMuppet
Posts: 11
Registered: ‎05-29-2008
0

Re: SRX <-> Cyberoam IPSEC large packet issues

Hi,

 

This is in place and there is zero change in behaviour. No change is observed between this directive being in place and not being in place.

 

Further, the fact that this does not occur for the SSG<->Cyberoam tunnel or the SRX<->SSG tunnel indicates that there is a quirk on the SRX causing this issue.

 

Contributor
TheEvilMuppet
Posts: 11
Registered: ‎05-29-2008
0

Re: SRX <-> Cyberoam IPSEC large packet issues

Further, fragmentation is a performance issue - no amount of fragmentation could possibly cause this issue. 

 

Contributor
TheEvilMuppet
Posts: 11
Registered: ‎05-29-2008
0

Re: SRX <-> Cyberoam IPSEC large packet issues

Further strangeness has been observed here:

 

  • File transfers from the Cyberoam network to the SRX network are fine and work as expected
  • File transfers and web page loads served from the SRX network to the Cyberoam network do not work as expected

When attempting to download a file or web page from the SRX network using a host in the Cyberoam network, the following is observed:

 

  • The security policy statistics show no output byes or packets at all from the time that the transfer is initiated . The input byte and packet count remains constant
  • The ipsec tunnel statistics show an increase in encrypted bytes and packets over time as TCP retries occur but the decrypted bytes and packets remain constant throughout the attempt

None of this behaviour is observed in either our SSG<->SRX tunnel or our SSG<->Cyberoam tunnel and none of those tunnels were configured with anything other than default phase 1 and phase 2 settings.

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.