[j-nsp] Netscreen 204Firewall ----- Juniper IPSEC problem

Yuki Arif (EID) Yuki.Arif at eid.ericsson.se
Tue Jan 28 10:33:14 EST 2003


Thanks for all response,

I also got a same case from this following web site.

http://www.netscreenforum.com/viewtopic.php?t=157

Best Regards


Yuki

-----Original Message-----
From: Stephen Gill [mailto:gillsr at yahoo.com]
Sent: Tuesday, January 28, 2003 12:04 AM
To: 'Rubens Kuhl Jr.'; 'Yuki Arif (EID)'; juniper-nsp at puck.nether.net
Subject: RE: [j-nsp] Netscreen 204Firewall ----- Juniper IPSEC problem


Unfamiliar with your topology, you might be well off enabling 'set flow
tcp-mss' with a value such as 1400 on the Netscreen.  There is also a
Netscreen admin mailing list if you have specific NS questions or
interests in that area.

http://www.qorbit.net/nn/index.html

-- steve

-----Original Message-----
From: juniper-nsp-bounces at puck.nether.net
[mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of Rubens Kuhl
Jr.
Sent: Monday, January 27, 2003 8:43 AM
To: Yuki Arif (EID); juniper-nsp at puck.nether.net
Subject: Re: [j-nsp] Netscreen 204Firewall ----- Juniper IPSEC problem


| I have an IPSEC  problem between Netscreen 204 and Juniper router.
|
| It seems the netscreen encapsulated the incoming packet with IPSEC
header
| and if the total size of the packet bigger than allowed MTU of the
netscreen
| interface towards Juniper ruter, it will do fragmentation.

It's the right thing to do... M stands for maximum.

| This cause problem with my http traffic.

Fragment drops someplace else causes the problem, not fragmentation
itself.

| How should i handle this problem in juniper part ?

Unless you can increase the MTU, this problem should be handled at the
IPSEC
gateway by means such as MSS Clamping.


Rubens Kuhl Jr.




_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
http://puck.nether.net/mailman/listinfo/juniper-nsp


More information about the juniper-nsp mailing list