ScreenOS Firewalls (NOT SRX)
ScreenOS Firewalls (NOT SRX)

MTU Dilemma

05.24.11   |  
‎05-24-2011 11:56 AM

I manage a SSG-520M running 6.3.0r5.0 and I'm experiencing some issues with my MTU settings.

 

I first became aware of the problem when users reported not being able to set up VTC calls and access HTTPS-enabled websites.  The first thing I did was recognize that VTC and HTTPS were both TCP-based, so I assumed firewall policy.  Then I had users from a different zone attempt these connections.  They were successful, so that eliminated firewall policy because these settings were the same on both zones.

 

Long story, short, it was found to be an MTU issue between this firewall and a router.

 

On the firewall GUI there is setting for "Admin MTU", which was set to 0 for default.  In parathases next to it says "Operating MTU: 1500; Default MTU: 1500).  Since the router was configured to accept the default MTU (1500), it was thought that this setting was moot.

 

To band-aid the issue I entered "set flow all-tcp-mss 1433" on the firewall.  After this command was entered all traffic behaved as expected.

 

Sometime afterwards plans to rearchitecture this network have been set into motion and in the mock network I noticed the command "set interface ethernetx/x mtu 1500" was set on the interfaces in the configuration text file.  So I went back to the functional network and removed the "set flow all-tcp-mss 1433" command and entered the "set interface ethernetx/x mtu 1500" commands and everything worked.

 

My quesition is what exactly is "Admin MTU"?  Had I known that was how you hard set the MTU then I could've avoided having to find out about the "set flow all-tcp-mss" command.  Since the GUI stated that operating MTU and default MTU were set to 1500 that I couldn't adjust them.  I had no idea that "Admin MTU" controlled that.

 

My follow-up question is why does this MTU problem exist between a directly connected Juniper M7i and an SSG-520M?  The M7i replaced a Cisco 3745 that never had an MTU issue with the SSG-520M.

 

Any comments and questions are welcome...

2 REPLIES
ScreenOS Firewalls (NOT SRX)

Re: MTU Dilemma

05.24.11   |  
‎05-24-2011 04:38 PM

An interesting test would be to unset the MTU value and let it go back to defaults and see if the problems you were seeing return.

-kr


---
If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated.
ScreenOS Firewalls (NOT SRX)

Re: MTU Dilemma

05.25.11   |  
‎05-25-2011 07:38 AM

I can try it, but that would mean putting the settings back to the way they were when this problem was first encountered...

 

I doubt it will work, but it would only take 10 minutes to do the test, probably less than that...