SRX

Hi.

I have recently installed a SRX210 with ADSL PIM. I have configured a PPPoA connection and setup the relavant NAT rules etc. I can browse the Internet without issue however we have found an issue in out testing. The iTunes Store will not work.

From the issue I am having it would appear this web site explains my issue

ISA2004 & Itunes

The article talks about iTunes sending compressed packets back and then getting blocked by ISA. If I go back to my old ADSL router everything works fine. So it is definitely something in the SRX configuration and I would suspect the above seems logical.

Does anyone have any thoughts on what could be the cause of the issue and / or how I could achive the same fix as mentioned in the above article on a SRX box?

Thanks in advance for your help.

Regards

I've got an SRX210 using PPPoE and the iTunes store works fine.

What version of JunOS are you using? Also it might be helpful to post your config.

Hi. Thanks for your response.

Running Junos 10.0R1.8. The iTunes store works, I can browse the store with no issues. As soon as I try and purchase content of view account information it just times out. The Apple TV I have on the network has the same issue. I plugged the old router back in and all ok again.

Config file attached.

Attachment(s)

config.txt   10 KB 1 version

HI Everyone.

Just wondering if anyone else has any ideas here. Further usage and investigation reveals it is not just the Apple iTunes that does not work.

Many but not all ssl connections will not function. E.g. Bankng sites etc. So it appears some sort of encryption is not getting through but unsure what.

Thanks.

Hello,

I wonder is you have this line in the config

set security nat source address-persistent

It does not appear in the config You posted.

The common problem with online banking is that server requests many HTTPS connections towards self (bit like Google Maps but over HTTPS) and checks if they all are coming from same source IP.

HTH

Rgds

Alex

address-persistent probably will not make any difference because source-nat interface is configured. Persistent is useful if you have a nat address pool with multiple addresses. But since there is only one IP with interface NAT, then all sessions will use same IP anyway.

I would suggest running flow traceoptions filtering for itunes IP. Flow trace should show if SRX is dropping any traffic and if so, then why.

-Richard

Ok for those I come across a similar issue later.

I set the MSS on all-tcp to 1300 and set the MTU on the DSL interface to 1492.

After this it all works.

Hi

Can you pls check what happens when you try with Default MTU?

We have Physical interface MTU as: 1496 and Logical Interface MTU as: 1490?

Does changing the MTU from 1496 to 1492 make any significant difference? Can you pls check whether you changed the MTU at at-x/x/x or at-x/x/x unit 0?

thanks

Shashi

having same issue

How do you set mss and mtu on a srx210    I have a static ip dsl coming in on ge-0/0/1.0

thanks

Hi Everyone,

I am facing the same type issue, SRX240H with ADSL line, no traffic goes across from Apple TV, Sony Blue Ray DVD when trying to use Netflix, or iTunes store etc.

I have been working with J-TAC team for 2 days now and still no resolution.

I just can't believe that this is an issue on SRX240H, I've already tried on 3 deferent firmware versions.(12r1, 11.2, 10.)

However everything works fine when i switch over back to my Cisco gear infrastructure.

Please advise,

Thank you in advance.