[j-nsp] Netscreen 204Firewall ----- Juniper IPSEC problem

Tue Jan 28 20:52:15 EST 2003

A couple of other things to be aware of...

1. Try enabling: 'set flow path-mtu' on the netscreen (RFC 1191).
2. Make sure you aren't dropping fragmented packets on the network such
as on the NS.  'get zone <trust|untrust> screen  all | inc Fragment'
3.  You can try playing with the 'set vpn <name> df-bit
<clear|copy|set>.

I'm assuming the MTUs are all the same b/n A & B.  What size did you
need to reduce the MTU in order for the connection to work?  Typically
the 'set flow tcp-mss <value>' will work by causing systems to negotiate
a smaller packet size.  The MSS has a direct correlation to the MTU.

-- steve

-----Original Message-----
From: juniper-nsp-bounces at puck.nether.net
[mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of Yuki Arif
(EID)
Sent: Tuesday, January 28, 2003 7:54 PM
To: juniper-nsp at puck.nether.net
Subject: RE: [j-nsp] Netscreen 204Firewall ----- Juniper IPSEC problem

Hello,

I tried Stphen'web site recomendation commands and it still do not work.

The work around is to reduce MTU size in the AXI-B router. IPSEC tunnel
is between Netscreen and AXI-A

AXI-A  ---------- Netscreen --------- AXI-B.

Do you have other suggestions ?

Thanks

Yuki

-----Original Message-----
From: joe lin [mailto:jlin at doradosoftware.com]
Sent: Tuesday, January 28, 2003 11:11 AM
To: Yuki Arif (EID); juniper-nsp at puck.nether.net
Subject: Re: [j-nsp] Netscreen 204Firewall ----- Juniper IPSEC problem

did you try opening a case with JTAC.. they could answer, if you have a
support contract

----- Original Message -----
From: "Yuki Arif (EID)" <Yuki.Arif at eid.ericsson.se>
To: <juniper-nsp at puck.nether.net>
Sent: Tuesday, January 28, 2003 10:33 AM
Subject: RE: [j-nsp] Netscreen 204Firewall ----- Juniper IPSEC problem

> Thanks for all response,
>
> I also got a same case from this following web site.
>
> http://www.netscreenforum.com/viewtopic.php?t=157
>
> Best Regards
>
>
> Yuki
>
> -----Original Message-----
> From: Stephen Gill [mailto:gillsr at yahoo.com]
> Sent: Tuesday, January 28, 2003 12:04 AM
> To: 'Rubens Kuhl Jr.'; 'Yuki Arif (EID)'; juniper-nsp at puck.nether.net
> Subject: RE: [j-nsp] Netscreen 204Firewall ----- Juniper IPSEC problem
>
>
> Unfamiliar with your topology, you might be well off enabling 'set
flow
> tcp-mss' with a value such as 1400 on the Netscreen.  There is also a
> Netscreen admin mailing list if you have specific NS questions or
> interests in that area.
>
> http://www.qorbit.net/nn/index.html
>
> -- steve
>
> -----Original Message-----
> From: juniper-nsp-bounces at puck.nether.net
> [mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of Rubens Kuhl
> Jr.
> Sent: Monday, January 27, 2003 8:43 AM
> To: Yuki Arif (EID); juniper-nsp at puck.nether.net
> Subject: Re: [j-nsp] Netscreen 204Firewall ----- Juniper IPSEC problem
>
>
> | I have an IPSEC  problem between Netscreen 204 and Juniper router.
> |
> | It seems the netscreen encapsulated the incoming packet with IPSEC
> header
> | and if the total size of the packet bigger than allowed MTU of the
> netscreen
> | interface towards Juniper ruter, it will do fragmentation.
>
> It's the right thing to do... M stands for maximum.
>
> | This cause problem with my http traffic.
>
> Fragment drops someplace else causes the problem, not fragmentation
> itself.
>
> | How should i handle this problem in juniper part ?
>
> Unless you can increase the MTU, this problem should be handled at the
> IPSEC
> gateway by means such as MSS Clamping.
>
>
> Rubens Kuhl Jr.
>
>
>
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> http://puck.nether.net/mailman/listinfo/juniper-nsp
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> http://puck.nether.net/mailman/listinfo/juniper-nsp
>
>
_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
http://puck.nether.net/mailman/listinfo/juniper-nsp