ScreenOS Firewalls (NOT SRX)
Reply
Visitor
Hachem
Posts: 2
Registered: ‎02-16-2009
0

TCP MSS value modification in GPRS flow

Does the 'set flow all-tcp-mss' option apply to GPRS TCP flow?

The TCP segements would then be ecapsulated as follow : L2/IP/UDP/GTP/IP/TCP.

 

Is this option harware (SSG/Netscreen model) and/or software (screenOS version) dependent?

 

Thanks for your Help !!

Hachem

Trusted Contributor
Gavrilo
Posts: 279
Registered: ‎07-14-2008
0

Re: TCP MSS value modification in GPRS flow

Hi,

 

- set flow tcp-mss
enables a TCP handshake tweak in which the maximum segment size parameter issued by the two hosts at the end of the tcp session is set to the number you specify. this ONLY AFFECTS PACKETS THAT THE NETSCREEN CREATES ITSELF - i.e.
packets that enter a tunnel at the netscreen.

- set flow all-tcp-mss
enables the same tcp handshake tweak for ALL TCP sessions negotatiated through the netscreen.

 

Gavrilo

Visitor
Hachem
Posts: 2
Registered: ‎02-16-2009
0

Re: TCP MSS value modification in GPRS flow

Thanks Gavrilo for your input, I did read the configuration docs as well.

 

The question is if flow "all-tcp-mss" that applies to "ALL TCP sessions negotatiated through the netscreen" includes when TCP flow is double-encapsulated meaning TCP in IP in GTP in UDP in IP in Eth or only simple encapsulation like TCP in IP in Eth.

 

If it does cover the GTP tunneling case, does it require special GPRS licencing?

In case of IP fragmentation, what happens if the TCP header is not in the first fragment?

 

 thanks,

Hachem

Trusted Contributor
Gavrilo
Posts: 279
Registered: ‎07-14-2008
0

Re: TCP MSS value modification in GPRS flow

The value of the MSS field is determined by the maximum transmission unit (MTU) configuration on the host. The default MSS value for a PC would be 1500 bytes.

 

The question is if flow "all-tcp-mss" that applies to "ALL TCP sessions negotatiated through the netscreen" includes when TCP flow is double-encapsulated meaning TCP in IP in GTP in UDP in IP in Eth or only simple encapsulation like TCP in IP in Eth.

 

I can't be certain on this but I think the capitals used for ALL TCP sessions would sugest it does.

 

If it does cover the GTP tunneling case, does it require special GPRS licencing?

 

I don't know, I sugest you contact your sales people for this info.

 

In case of IP fragmentation, what happens if the TCP header is not in the first fragment?

 

TCP sessions would be dropped so you would need to do something like an ip tcp adjust command which would help prevent TCP sessions from being dropped by adjusting the MSS value of the TCP SYN

 

 Gavrilo

 

Trusted Contributor
Gavrilo
Posts: 279
Registered: ‎07-14-2008
0

Re: TCP MSS value modification in GPRS flow

BTW

 

I think the NetScreen command is set envar max-frame-size=XXXX

 

Gavrilo

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.