SRX Services Gateway
SRX Services Gateway

mtu

‎09-23-2019 04:35 PM

Hi all,

What do you think about the following configuration of adsl card that inserted into srx branch series. What is wrong that causes fregmentation still on ipsec link on adsl? And why adsl pro mtu is 1492... does it mean adsl over header 1512-1492=20byte? 

 

SRX> show interfaces extensive at-1/0/0 | match mtu
Link-level type: ATM-PVC, MTU: 1512, Clocking: Internal, ADSL mode, Speed: ADSL2+, Loopback: None
Carrier transitions: 0, Errors: 0, Drops: 0, Aged packets: 0, MTU errors: 0, Resource errors: 0
Protocol inet, MTU: 1492, Generation: 171, Route table: 0

 

SRX>show configuration interfaces at-1/0/0 | display set
set interfaces at-1/0/0 mtu 1512
set interfaces at-1/0/0 encapsulation atm-pvc
set interfaces at-1/0/0 atm-options vpi 8
set interfaces at-1/0/0 atm-options vpi 1
set interfaces at-1/0/0 dsl-options operating-mode annexm-adsl2plus
set interfaces at-1/0/0 unit 0 encapsulation atm-ppp-vc-mux
set interfaces at-1/0/0 unit 0 vci 1.34
set interfaces at-1/0/0 unit 0 ppp-options chap default-chap-secret xxxxxxxxxxx
set interfaces at-1/0/0 unit 0 ppp-options chap local-name yyyyyyyyyyyyyyy
set interfaces at-1/0/0 unit 0 ppp-options chap passive
set interfaces at-1/0/0 unit 0 family inet filter input FirewalF_Pro_at_if
set interfaces at-1/0/0 unit 0 family inet negotiate-address


SRX> show configuration | display set | match mss
set security flow tcp-mss all-tcp mss 1450
set security flow tcp-mss ipsec-vpn mss 1328

5 REPLIES 5
SRX Services Gateway

Re: mtu

‎09-23-2019 04:47 PM
Check by changing all-tcp mss to 1328.
Thanks,
Nellikka
JNCIE x3 (SEC #321; SP #2839; ENT #790)
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
SRX Services Gateway

Re: mtu

[ Edited ]
‎09-23-2019 05:12 PM

Nellika, why you said about changing all-tcp mss to 1328 ? Any explaination please?

 

And also does the following "fragment packets:" number as a cumulative total number from the ipsec and non-ipsec fragmentation or?

 

srx> show security flow statistics
Current sessions: 231
Packets forwarded: 511789091
Packets dropped: 4683480
Fragment packets: 71259

 

SRX Services Gateway

Re: mtu

‎09-24-2019 04:58 AM

any reply please?

SRX Services Gateway

Re: mtu

‎09-26-2019 10:49 AM

Hello, could you try, set security ipsec vpn npv df-bit copy and set security flow tcp-mss ipsec-vpn mss 1350

if you still see the problem then we will have to do pcaps to take a deeper dive :

https://rtodto.net/ipsec-tcp-mss-df-bit-and-fragmentation-in-srx/

SRX Services Gateway

Re: mtu

[ Edited ]
‎10-01-2019 12:00 AM

Yes. The number below is an accumulative system wide number.

 

As far as the all-tcp mss is considered, please consider the following:-

 

Total packet size = TCP MSS (payload)  + IP header  + IPSEC Header (if encrypted)+ VLAN (if any) + L2 header.

 

 

@Arix wrote:

Nellika, why you said about changing all-tcp mss to 1328 ? Any explaination please?

 

And also does the following "fragment packets:" number as a cumulative total number from the ipsec and non-ipsec fragmentation or?

 

srx> show security flow statistics
Current sessions: 231
Packets forwarded: 511789091
Packets dropped: 4683480
Fragment packets: 71259