[j-nsp] Netscreen 204Firewall ----- Juniper IPSEC problem
Stephen Gill
gillsr at yahoo.com
Mon Jan 27 11:04:27 EST 2003
Unfamiliar with your topology, you might be well off enabling 'set flow
tcp-mss' with a value such as 1400 on the Netscreen. There is also a
Netscreen admin mailing list if you have specific NS questions or
interests in that area.
http://www.qorbit.net/nn/index.html
-- steve
-----Original Message-----
From: juniper-nsp-bounces at puck.nether.net
[mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of Rubens Kuhl
Jr.
Sent: Monday, January 27, 2003 8:43 AM
To: Yuki Arif (EID); juniper-nsp at puck.nether.net
Subject: Re: [j-nsp] Netscreen 204Firewall ----- Juniper IPSEC problem
| I have an IPSEC problem between Netscreen 204 and Juniper router.
|
| It seems the netscreen encapsulated the incoming packet with IPSEC
header
| and if the total size of the packet bigger than allowed MTU of the
netscreen
| interface towards Juniper ruter, it will do fragmentation.
It's the right thing to do... M stands for maximum.
| This cause problem with my http traffic.
Fragment drops someplace else causes the problem, not fragmentation
itself.
| How should i handle this problem in juniper part ?
Unless you can increase the MTU, this problem should be handled at the
IPSEC
gateway by means such as MSS Clamping.
Rubens Kuhl Jr.
_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
http://puck.nether.net/mailman/listinfo/juniper-nsp
More information about the juniper-nsp
mailing list