SRX Services Gateway
Highlighted
SRX Services Gateway

MTU on IPSec over ADSL

‎04-09-2014 05:53 AM

Hi all,

 

I have ~15 SRX110H2's setup to connect to a SRX650 multipoint st-interface over IPSec. All of those are connected via "regular" Internet connections delivered to us by various ISP's over ethernet connections. We run OSPF over the IPSec. A couple of days ago we added an additional site, this one over ADSL using the built-in at-interface. The ADSL-setup works fine, an IP is aquired over dhcp, and the IPSec connection is established.

 

Once we got this working I had icmp pings working in every direction but some traffic wouldn't get through. I found recommendations on using "set security flow tcp-mss all-tcp mss 1350". I did that and my issues with TCP through the IPSec tunnel seem to have resolved; http traffic which previously didn't work now goes through. However non-tcp traffic is still troublesome, OSPF is stuck in ExStart (on the spoke side) and Exchange (on the hub-side) and WPA2-Enterprise authentication between a Ubiquiti Unifi node and our ActiveDirectory (actually NPS) does not work. The dialogue seem to end with the spoke SRX sending ICMP Time Exceeded packets back to the AD server.

 

Any hints? I've read that OSPF wont form unless MTU on the interfaces match but that doesn't seem to be the issue here sin ce the st-interfaces (st0.0 on spoke and st0.9 on hub) interfaces both have mtu 9192.

 

When doing pings beteen the spoke SRX and the AD (over the IPSec tunnel), size 1458 are the largest I can get through, 1459 doesn't work.

 

Thanks!

Feedback