Throughput through my VPN sucks. For example, traffic through the internet between hosts is faster than traffic through the same internet path through a VPN. I suspect fragmentation, but I can't prove it.
Turn on Path MTU discovery:
The internet suggests that even if you mess with the MSS values (below), the firewall will still happily fragment encrypted VPN packets
Note -- again -- this is a global knob and might have unpleasant side effects.
Set the Maximum Segment Size permitted through firewall VPNs to be 1350.
# set flow tcp-mss 1350
# set flow vpn-tcp-mss 1350
Warning: this is a global knob that can't be tweaked on a per-tunnel basis.
I refer to this as "stealth fragmentation". By default, both VPN tunnel interfaces and ethernet interfaces have MTUs of 1500. This means that the tunnel will accept a 1500 byte packet without fragmenting. However, after that packet is encapsulated in an ESP packet, it is suddenly larger than 1500 bytes, which means that the outgoing ethernet interface will
fragment it. So you get bit by fragmentation, even though your MTUs and DF bits look fine.
For NS-5GT, SSG-5, and SSG-20 devices, the command set flow tcp-mss is enabled by default to 1350. On all other Juniper firewall devices, the command set flow tcp-mss is disabled, i.e., it is not set by default in the configuration.