For When You Can't Have The Real Thing
[ start | index | login ]
start > Netscreen > VPN Fragmentation

VPN Fragmentation

Created by dave. Last edited by dave, 6 years and 240 days ago. Viewed 2,928 times. #6
[diff] [history] [edit] [rdf]


Throughput through my VPN sucks. For example, traffic through the internet between hosts is faster than traffic through the same internet path through a VPN. I suspect fragmentation, but I can't prove it.


Turn on Path MTU discovery:

# set flow path-mtu

The internet suggests that even if you mess with the MSS values (below), the firewall >>will still happily fragment encrypted VPN packets.

Note -- again -- this is a global knob and might have unpleasant side effects.

Previous Solution

Set the Maximum Segment Size permitted through firewall VPNs to be 1350.

# set flow tcp-mss 1350
# set flow vpn-tcp-mss 1350

Warning: this is a global knob that can't be tweaked on a per-tunnel basis.


I refer to this as "stealth fragmentation". By default, both VPN tunnel interfaces and ethernet interfaces have MTUs of 1500. This means that the tunnel will accept a 1500 byte packet without fragmenting. However, after that packet is encapsulated in an ESP packet, it is suddenly larger than 1500 bytes, which means that the outgoing ethernet interface will fragment it. So you get bit by fragmentation, even though your MTUs and DF bits look fine.



>>Sez Juniper:
For NS-5GT, SSG-5, and SSG-20 devices, the command set flow tcp-mss is enabled by default to 1350. On all other Juniper firewall devices, the command set flow tcp-mss is disabled, i.e., it is not set by default in the configuration.
no comments | post comment
This is a collection of techical information, much of it learned the hard way. Consider it a lab book or a /info directory. I doubt much of it will be of use to anyone else.

Useful: | Copyright 2000-2002 Matthias L. Jugel and Stephan J. Schmidt