SRX Services Gateway
Highlighted
SRX Services Gateway

MTU / MSS issues with SRX box - Ideas ?

‎05-11-2014 06:57 AM

 

Hi guys,

 

My ISP is Xilo.net and the default mtu is 1432. I was orginally using a J2320 device with the following configuration.

 

et interfaces pp0 unit 0 ppp-options chap default-chap-secret "$9$ghJik5T3t0BZUAp0OREs2gJik"
set interfaces pp0 unit 0 ppp-options chap local-name "17815@tw.uno.net.uk"
set interfaces pp0 unit 0 ppp-options chap no-rfc2486
set interfaces pp0 unit 0 ppp-options chap passive
set interfaces pp0 unit 0 pppoe-options underlying-interface ge-0/0/0.0
set interfaces pp0 unit 0 pppoe-options idle-timeout 0
set interfaces pp0 unit 0 pppoe-options auto-reconnect 10
set interfaces pp0 unit 0 pppoe-options client
set interfaces pp0 unit 0 family inet mtu 1432
set interfaces pp0 unit 0 family inet sampling input
set interfaces pp0 unit 0 family inet sampling output
set interfaces pp0 unit 0 family inet negotiate-address

set security flow tcp-mss all-tcp mss 1350

 

Website load ok.

 


So Today I went about migrating out of my J series box and into the SRX 110

It is configured so fe-0/0/0 is the port which connects the draytek modem and the pppoe / pp0 adapter dials the connection and authentications.

 

I can have no issues establising a connection my issues start once the connection has established pages load very slowly with the above configuration some pages dont load so I decided to ditch the J series config and remake one for the srx

 

This is the srx110 config now

 


set system name-server 193.150.34.1
set system name-server 91.230.181.1
set system name-server 8.8.8.8
set interfaces fe-0/0/0 unit 0 encapsulation ppp-over-ether
set interfaces pp0 unit 0 ppp-options chap default-chap-secret "$9$VIYJGkqfn9A24369Cu0NdVYJG"
set interfaces pp0 unit 0 ppp-options chap local-name "17815@tw.uno.net.uk"
set interfaces pp0 unit 0 ppp-options chap no-rfc2486
set interfaces pp0 unit 0 ppp-options chap passive
set interfaces pp0 unit 0 pppoe-options underlying-interface fe-0/0/0.0
set interfaces pp0 unit 0 pppoe-options idle-timeout 0
set interfaces pp0 unit 0 pppoe-options auto-reconnect 10
set interfaces pp0 unit 0 pppoe-options client
set interfaces pp0 unit 0 family inet negotiate-address

set routing-options static route 0.0.0.0/0 next-hop pp0.0

With the config like this I can ping google.com -f -l 1432 - This is the correct MTU packet size.

 

so I added set interfaces pp0 unit 0 family inet mtu 1432

 

I still have slow internet..

 

I then decided to play around with

Set security flow tcp-mss all-tcp mss and inserted ranges from 1200 upwards to 1400 - this made very little difference.

I have also tried removing the mtu from the pp0 adapter and only configuring / the mss settings

 

no matter what i do the pages load slowly.

 

ideas any one ?

7 REPLIES 7
Highlighted
SRX Services Gateway

Re: MTU / MSS issues with SRX box - Ideas ?

‎05-12-2014 01:39 AM

Hi Cmia,

 

                  Which version of Junos was running in J2330?  In SRX110, you can try the following

 

Disable tcp syn and tcp seq check

set security flow tcp-session no-syn-check
set security flow tcp-session no-sequence-check

commit

 

 

Additionally, you can disable un-used process to free up SRX110 resource, as described in the below KB

http://kb.juniper.net/InfoCenter/index?page=content&id=KB28933&actp=search&viewlocale=en_US&searchid...

 

I hope disabling tcp syn and tcp seq should increase throughput.

 

Thanks,

SHKM

Highlighted
SRX Services Gateway

Re: MTU / MSS issues with SRX box - Ideas ?

‎05-12-2014 06:17 AM

Are you running UTM/IDP, packet filters, or traceoptions by chance?

-------------------------------------------------------------------------------
Ben Boyd
Sr. Solutions Architect
Integration Partners (http://www.integrationpartners.com)
JNCIE-M, JNCIE-ENT, JNCIP-SEC, JNCIA-EX
Twitter - @ozark46
Highlighted
SRX Services Gateway

Re: MTU / MSS issues with SRX box - Ideas ?

[ Edited ]
‎05-12-2014 11:17 AM

Hi,

On the SRX JUNOS Software Release [11.2R3.3]
On the J2320 JUNOS Software Release [11.1R4.4]

 

I will try disabling tcp syn / check Smiley Happy

 

Further reading into this this the tcp syn check feature is basically the packets become more secure.

 

As a state less firewall this added another level of security, but disabling this removes the advantage.

 

 

The SRX has one virtual router which is only for the dmz. 

And the main router is used for the other I.net zones.

 

The j series has 2 virtual routers as well as the main I.net

 

None of these routers are actually live, I purchased the j2320 upgraded the cpu from a celron to a p4 2.8 gig and added another 1gb of ram talking it to 1.5gb.

 

The j series was to take over a ssg20 but it was alittle too loud and winey so I purchased an srx110.

 

I don't understand why it's not working

 

 

 

 

Highlighted
SRX Services Gateway

Re: MTU / MSS issues with SRX box - Ideas ?

[ Edited ]
‎05-12-2014 11:20 AM

 

Both of the boxes have the factory UTM/ IDP stuff.

No trace options on the SRX but running trace options on the J series!

 

Attachments

Highlighted
SRX Services Gateway

Re: MTU / MSS issues with SRX box - Ideas ?

‎05-13-2014 01:51 PM

What about file transfers to IP addresses instead of domain names..... Wonder if it's a resolving issue..?

-------------------------------------------------------------------------------
Ben Boyd
Sr. Solutions Architect
Integration Partners (http://www.integrationpartners.com)
JNCIE-M, JNCIE-ENT, JNCIP-SEC, JNCIA-EX
Twitter - @ozark46
Highlighted
SRX Services Gateway
Solution
Accepted by topic author cmia
‎08-26-2015 01:27 AM

Re: MTU / MSS issues with SRX box - Ideas ?

‎05-16-2014 12:28 AM

 

I just want to update this post Smiley Happy

 

It seems nothing was wrong with the config but the SRX needed a reboot.

 

I have never had to reboot any of my Junipers becuase I made a new connection!

 

Highlighted
SRX Services Gateway

Re: MTU / MSS issues with SRX box - Ideas ?

‎05-16-2014 05:36 PM
Disable tcp syn and tcp seq check

set security flow tcp-session no-syn-check
set security flow tcp-session no-sequence-check

 I disagree.  These are important basic checks on a modern firewall and should rarely be disabled.

 

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home