ScreenOS Firewalls (NOT SRX)
ScreenOS Firewalls (NOT SRX)

TCP MSS value modification in GPRS flow

02.16.09   |  
‎02-16-2009 11:52 AM

Does the 'set flow all-tcp-mss' option apply to GPRS TCP flow?

The TCP segements would then be ecapsulated as follow : L2/IP/UDP/GTP/IP/TCP.

 

Is this option harware (SSG/Netscreen model) and/or software (screenOS version) dependent?

 

Thanks for your Help !!

Hachem

4 REPLIES
ScreenOS Firewalls (NOT SRX)

Re: TCP MSS value modification in GPRS flow

02.17.09   |  
‎02-17-2009 03:16 AM

Hi,

 

- set flow tcp-mss
enables a TCP handshake tweak in which the maximum segment size parameter issued by the two hosts at the end of the tcp session is set to the number you specify. this ONLY AFFECTS PACKETS THAT THE NETSCREEN CREATES ITSELF - i.e.
packets that enter a tunnel at the netscreen.

- set flow all-tcp-mss
enables the same tcp handshake tweak for ALL TCP sessions negotatiated through the netscreen.

 

Gavrilo

ScreenOS Firewalls (NOT SRX)

Re: TCP MSS value modification in GPRS flow

02.17.09   |  
‎02-17-2009 07:59 AM

Thanks Gavrilo for your input, I did read the configuration docs as well.

 

The question is if flow "all-tcp-mss" that applies to "ALL TCP sessions negotatiated through the netscreen" includes when TCP flow is double-encapsulated meaning TCP in IP in GTP in UDP in IP in Eth or only simple encapsulation like TCP in IP in Eth.

 

If it does cover the GTP tunneling case, does it require special GPRS licencing?

In case of IP fragmentation, what happens if the TCP header is not in the first fragment?

 

 thanks,

Hachem

ScreenOS Firewalls (NOT SRX)

Re: TCP MSS value modification in GPRS flow

02.18.09   |  
‎02-18-2009 02:57 AM

The value of the MSS field is determined by the maximum transmission unit (MTU) configuration on the host. The default MSS value for a PC would be 1500 bytes.

 

The question is if flow "all-tcp-mss" that applies to "ALL TCP sessions negotatiated through the netscreen" includes when TCP flow is double-encapsulated meaning TCP in IP in GTP in UDP in IP in Eth or only simple encapsulation like TCP in IP in Eth.

 

I can't be certain on this but I think the capitals used for ALL TCP sessions would sugest it does.

 

If it does cover the GTP tunneling case, does it require special GPRS licencing?

 

I don't know, I sugest you contact your sales people for this info.

 

In case of IP fragmentation, what happens if the TCP header is not in the first fragment?

 

TCP sessions would be dropped so you would need to do something like an ip tcp adjust command which would help prevent TCP sessions from being dropped by adjusting the MSS value of the TCP SYN

 

 Gavrilo

 

ScreenOS Firewalls (NOT SRX)

Re: TCP MSS value modification in GPRS flow

02.18.09   |  
‎02-18-2009 03:05 AM

BTW

 

I think the NetScreen command is set envar max-frame-size=XXXX

 

Gavrilo