01-05-2009 05:39 AM
I tried this MSS option, but as soon as we start OSPF on the SSG-140, it starts timed out and packets starts dropping. Result is the same with MSS setting as it was before. Please provide some other solution. If you require i can send u the configuration ????
01-06-2009 08:23 AM
1. Typically we don't hardset the MTU on an interface unless there's a specific need.
Can you unset the MTU settings on the tunnel interfaces on both firewalls:
unset interface tunnel.x mtu 1500
Then also set the 'set flow tcp-mss 1350', and re-describe the symptoms.
2. What ScreenOS version are you running on both SSGs?
3. Observation (not related to your issue):
Typically on the VPN Monitor settings for route-based VPNs running OSPF, the rekey option is also specified, i.e.
set vpn <vpn> monitor optimized rekey
Refer to the following for more info: http://forums.juniper.net/jnet/board/message?board
4. Observation (not related to your issue):
Policy id 2 on NAWABS-SSG is a vulnerable policy.
At least specify specific from and to host IPs.
Once you get it all working (you don't want to do too many changes at once), you may put your tunnel interface in a 'VPN zone', and then create the policies from and two the Trust and 'VPN Zone'. Refer to the following for an example: KB7746 - Full Mesh VPN with OSPF.