For When You Can't Have The Real Thing
[ start | index | login ]
start > Netscreen > VPN Fragmentation

VPN Fragmentation

Created by dave. Last edited by dave, 28 days ago. Viewed 65 times. #4
[diff] [history] [edit] [rdf]


Throughput through my VPN sucks. For example, traffic through the internet between hosts is faster than traffic through the same internet path through a VPN. I suspect fragmentation, but I can't prove it.


Set the Maximum Segment Size permitted through firewall VPNs to be 1350.

set flow tcp-mss 1350

Warning: this is a global knob that can't be tweaked on a per-tunnel basis.


I refer to this as "stealth fragmentation". By default, both VPN tunnel interfaces and ethernet interfaces have MTUs of 1500. This means that the tunnel will accept a 1500 byte packet without fragmenting. However, after that packet is encapsulated in an ESP packet, it is suddenly larger than 1500 bytes, which means that the outgoing ethernet interface will fragment it. So you get bit by fragmentation, even though your MTUs and DF bits look fine.



>>Sez Juniper:
For NS-5GT, SSG-5, and SSG-20 devices, the command set flow tcp-mss is enabled by default to 1350. On all other Juniper firewall devices, the command set flow tcp-mss is disabled, i.e., it is not set by default in the configuration.
no comments | post comment

Virtual Dave Megaplex:

Internet Explorer 6 Users >>Click Here

(read this note about local search)

Logged in Users: (1)
… and 23 Guests.

Editing: snipsnap-help, Image Macro

(Et auditum est, et idcirco ego nunc simulare)

Installed 6 years and 69 days ago
Powered By >>SnipSnap Version 1.0b1-uttoxeter

This is a collection of techical information, much of it learned the hard way. Consider it a lab book or a /info directory. I doubt much of it will be of use to anyone else.

Useful: | Copyright 2000-2002 Matthias L. Jugel and Stephan J. Schmidt