Our network is either side of the Cisco routers. The bit in the middle is provided by a 3rd party. We use OSPF for routing. There are no specific MTU in place on any device.
At present our IPSEC VPN tunnel will only come up if there is a static route in place on SRX2 telling it how to get to CISCO1 via a local interface. CISCO2 is unable to form an OSPF adajency, whereas CISCO1 is. When the tunnel is up, it is not 'reliable' i.e. as soon as any load is paased over it pings start dropping, file transfers won't complete and all sorts of fragmentation is seen on the Cisco routers, which I think points to an MTU issue. The third party has tried setting an interface MTU of 1420 at both ends, which we've matched on our SRX devices, but this causes our IPSEC tunnel to drop and stay down. We've also tried setting the VPN MTU at 1420, but with no success either. The media type connected to CISCO1 is fibre, and at CISCO2 VDSL.
Does anyone have any experience of this kind of issue or suggestions as to how we might solve it?
I'm not sure how to properly answer that question. The tunnel is up, it does pass traffic, but not reliably as described in my OP. I have tried various MTUs on both the physical and the ST interfaces. I've aslo tried setting the MSS value for the VPN. Furthermore, I have tried setting the df-bit as clear and copy. OSPF is set on the ST interfaces and appears to be working,
Try to ping the srx2 st0 interface ip from srx1 and find out working mtu. what is the size of the file you are transferring? And find out the MSS value in the tcp handshake from client and server packet capture. If the MSS value is higher that st0 working MTU, set mss value less than that in both srx
set security flow tcp-mss all-tcp < ..>
Thanks, Nellikka JNCIE x3 (SEC #321; SP #2839; ENT #790) Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!