Screen OS

last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.

  • 1.  Policy based VPN to cisco ASA drops packets [need to set MTU to 1504]

    Posted 09-20-2010 14:19

    I was able to setup policy based VPN to a government agency Cisco ASA. Problems occur with dropped packets making the services they provide us almost impossible to use. After working with their tech support team, i was informed that juniper devices do not count the L2 header as prt of the length of the frame (PPP=4 byte header) and this is causing a mismatch in the packet size which eventually leads to dropped packets instead of fragmenting them.

     

    The course of action i was asked to take was to set my MTU to 1504. I logged into my juniper only to find out that this can not be done. Is there something i am missing or am i indeed out of luck in this regard?

     

    I have juniper ns5gts, ns204, ns208 and all running screenOS 5.4.r12

     

    If i have to upgrade please let me know. this is an option i can bring before my employer and maybe get an ssg device.

     

    thanks



  • 2.  RE: Policy based VPN to cisco ASA drops packets [need to set MTU to 1504]

    Posted 09-20-2010 17:59

    I'm seeing the same limit of base mtu size of 1280-1500 right up to screenos 6.3.

     

    There is jumbo frame support but that starts at 1515 and I doubt your tunnel would support jumbo frames anyway.

     

    Maybe something can be done with fragmentation settings?  But I'm not seeing anything obvious to me.



  • 3.  RE: Policy based VPN to cisco ASA drops packets [need to set MTU to 1504]

    Posted 09-20-2010 18:18

    can you give me some pointers on configuring fragmentation settings? I will attempt to see if that can help solve this problem. Its kind of a deal breaker sadly since we forked over a ton of cash for said service and the vendor assured us verbally and in writing that it would work with juniper hardware.

     

    Ill also see if they can try and reduce their MTU size on packets being transmitted through the VPN to us, but being as they are a govt agency ... I'm sure red tape and bureaucracy rule the day and this request may never see the light of day.

     

    Either way thanks for your help.



  • 4.  RE: Policy based VPN to cisco ASA drops packets [need to set MTU to 1504]

    Posted 09-20-2010 18:49

    Hi,

     

    I've come across similar issues, but it was related to fragmentation.  I would try the following.

     

    get flow tcp-mss (record value)

    set flow tcp-mss 1350

    test

     

    If that doesn't work, try 1300.  If needed rollback.  Depending on the app/protocol, the IPsec overhead typically exceeds the max MTU, the "flow tcp-mss" is used to control and limit fragmentation by ensuring the IPsec packet doesn't exceed the MTU.

     

    -John



  • 5.  RE: Policy based VPN to cisco ASA drops packets [need to set MTU to 1504]

    Posted 09-21-2010 06:33

    Ill try your suggestion today john. It seems counter intuitive to reduce the value instead of increase the value, but at this stage i will try anything. I would like to find more information on tcp-mss settings. I had never had to change the setting before and still need to learn the difference between that and simply setting the MTU on physicall or logical interfaces such as tunnels.



  • 6.  RE: Policy based VPN to cisco ASA drops packets [need to set MTU to 1504]
    Best Answer

    Posted 11-03-2010 07:40

    ended up having to replace my ns50 with a cisco asa 5505 😞