[j-nsp] Netscreen 204Firewall ----- Juniper IPSEC problem
Yuki Arif (EID)
Yuki.Arif at eid.ericsson.se
Tue Jan 28 10:33:14 EST 2003
Thanks for all response,
I also got a same case from this following web site.
http://www.netscreenforum.com/viewtopic.php?t=157
Best Regards
Yuki
-----Original Message-----
From: Stephen Gill [mailto:gillsr at yahoo.com]
Sent: Tuesday, January 28, 2003 12:04 AM
To: 'Rubens Kuhl Jr.'; 'Yuki Arif (EID)'; juniper-nsp at puck.nether.net
Subject: RE: [j-nsp] Netscreen 204Firewall ----- Juniper IPSEC problem
Unfamiliar with your topology, you might be well off enabling 'set flow
tcp-mss' with a value such as 1400 on the Netscreen. There is also a
Netscreen admin mailing list if you have specific NS questions or
interests in that area.
http://www.qorbit.net/nn/index.html
-- steve
-----Original Message-----
From: juniper-nsp-bounces at puck.nether.net
[mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of Rubens Kuhl
Jr.
Sent: Monday, January 27, 2003 8:43 AM
To: Yuki Arif (EID); juniper-nsp at puck.nether.net
Subject: Re: [j-nsp] Netscreen 204Firewall ----- Juniper IPSEC problem
| I have an IPSEC problem between Netscreen 204 and Juniper router.
|
| It seems the netscreen encapsulated the incoming packet with IPSEC
header
| and if the total size of the packet bigger than allowed MTU of the
netscreen
| interface towards Juniper ruter, it will do fragmentation.
It's the right thing to do... M stands for maximum.
| This cause problem with my http traffic.
Fragment drops someplace else causes the problem, not fragmentation
itself.
| How should i handle this problem in juniper part ?
Unless you can increase the MTU, this problem should be handled at the
IPSEC
gateway by means such as MSS Clamping.
Rubens Kuhl Jr.
_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
http://puck.nether.net/mailman/listinfo/juniper-nsp
More information about the juniper-nsp
mailing list