[j-nsp] Netscreen 204Firewall ----- Juniper IPSEC problem

Yuki Arif (EID) Yuki.Arif at eid.ericsson.se
Wed Jan 29 09:54:26 EST 2003


Hello,

I tried Stphen'web site recomendation commands and it still do not work.

The work around is to reduce MTU size in the AXI-B router. IPSEC tunnel is between Netscreen and AXI-A

AXI-A  ---------- Netscreen --------- AXI-B.

Do you have other suggestions ?

Thanks

Yuki


-----Original Message-----
From: joe lin [mailto:jlin at doradosoftware.com]
Sent: Tuesday, January 28, 2003 11:11 AM
To: Yuki Arif (EID); juniper-nsp at puck.nether.net
Subject: Re: [j-nsp] Netscreen 204Firewall ----- Juniper IPSEC problem


did you try opening a case with JTAC.. they could answer, if you have a
support contract

----- Original Message -----
From: "Yuki Arif (EID)" <Yuki.Arif at eid.ericsson.se>
To: <juniper-nsp at puck.nether.net>
Sent: Tuesday, January 28, 2003 10:33 AM
Subject: RE: [j-nsp] Netscreen 204Firewall ----- Juniper IPSEC problem


> Thanks for all response,
>
> I also got a same case from this following web site.
>
> http://www.netscreenforum.com/viewtopic.php?t=157
>
> Best Regards
>
>
> Yuki
>
> -----Original Message-----
> From: Stephen Gill [mailto:gillsr at yahoo.com]
> Sent: Tuesday, January 28, 2003 12:04 AM
> To: 'Rubens Kuhl Jr.'; 'Yuki Arif (EID)'; juniper-nsp at puck.nether.net
> Subject: RE: [j-nsp] Netscreen 204Firewall ----- Juniper IPSEC problem
>
>
> Unfamiliar with your topology, you might be well off enabling 'set flow
> tcp-mss' with a value such as 1400 on the Netscreen.  There is also a
> Netscreen admin mailing list if you have specific NS questions or
> interests in that area.
>
> http://www.qorbit.net/nn/index.html
>
> -- steve
>
> -----Original Message-----
> From: juniper-nsp-bounces at puck.nether.net
> [mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of Rubens Kuhl
> Jr.
> Sent: Monday, January 27, 2003 8:43 AM
> To: Yuki Arif (EID); juniper-nsp at puck.nether.net
> Subject: Re: [j-nsp] Netscreen 204Firewall ----- Juniper IPSEC problem
>
>
> | I have an IPSEC  problem between Netscreen 204 and Juniper router.
> |
> | It seems the netscreen encapsulated the incoming packet with IPSEC
> header
> | and if the total size of the packet bigger than allowed MTU of the
> netscreen
> | interface towards Juniper ruter, it will do fragmentation.
>
> It's the right thing to do... M stands for maximum.
>
> | This cause problem with my http traffic.
>
> Fragment drops someplace else causes the problem, not fragmentation
> itself.
>
> | How should i handle this problem in juniper part ?
>
> Unless you can increase the MTU, this problem should be handled at the
> IPSEC
> gateway by means such as MSS Clamping.
>
>
> Rubens Kuhl Jr.
>
>
>
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> http://puck.nether.net/mailman/listinfo/juniper-nsp
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> http://puck.nether.net/mailman/listinfo/juniper-nsp
>
>


More information about the juniper-nsp mailing list