Linux, FreeBSD, Juniper, Cisco / Network security articles and troubleshooting guides

FAQ
It is currently Wed Aug 23, 2017 9:01 am


Author Message
debuser
Post  Post subject: Juniper SRX MTU / MSS / Fragmentation problems with Ipsec vpn tunnel  |  Posted: Tue Jun 05, 2012 8:02 am

Joined: Thu Aug 06, 2009 2:48 am
Posts: 105

Offline
 

Juniper SRX MTU / MSS / Fragmentation problems with Ipsec vpn tunnel

The MSS (Maximum Segment Size) is a TCP connection mechanism or parameter through which a TCP side informes the other side the maximum size tcp segment size it can receive for that specific connection.

MSS is set only during tcp 3-way handshake and is part of the "TCP Options" field of tcp header only for SYN packets. TCPDUMP example:
Code:
11:23:44.450420 IP 83.72.75.223.20614 > 95.233.23.13.80: Flags [S], seq 3483318893, win 65535, options [mss 1460,nop,wscale 4,sackOK,TS val 2479291524 ecr 0], length 0
11:23:44.451946 IP 95.233.23.13.80 > 83.72.75.223.20614: Flags [S.], seq 425754303, ack 3483318894, win 0, options [mss 1460], length 0
11:23:44.522227 IP 83.72.75.223.20614 > 95.233.23.13.80: Flags [.], ack 1, win 65535, length 0
11:23:44.523656 IP 95.233.23.13.80 > 83.72.75.223.20614: Flags [.], ack 1, win 5840, length 0


Under normal conditions, ethernet MTU is 1500 bytes and the MSS (MTU - ip header - tcp header) is 1460.

In any VPN configuration, due to ipsec encapsulation (and, in some cases, GRE), the MTU for the vpn interface is lowered to a safe value of i.e.: 1400 in my case.

(Excelent article from Cisco: Resolve IP Fragmentation, MTU, MSS, and PMTUD Issues with GRE and IPSEC http://www.cisco.com/en/US/tech/tk827/tk369/technologies_white_paper09186a00800d6979.shtml)

Some situations when TCP client is accessing an external host through an Ipsec vpn tunnel for the first time, it is unaware of the MTU/MSS parameters for that specific path.

Let's say our PC 10.0.0.1 tries to connect to a webserver on IP 95.233.23.13.
MTU on the segment between our pc and first hop is 1500.
First hop Juniper SRX-1 sends the packet through an Ipsec tunnel over to Juniper SRX-2.
Juniper SRX-2 does a source nat for traffic from vpn to internet.

Connection breakdown.
#1. PC sends a syn packet to 95.233.23.13 port 80 with MSS 1456 (1500-40ip/tcp headers-5 vlan encapsulation)
#2. Web server 95.233.23.13 responds with a SYN-ACK packet with MSS set to 1460 (1500 -40 ip/tcp headers)
#3. PC sends an ACK packet to 95.233.23.13 (3way handshake is complete)
#4. PC sends the HTTP GET / request to 95.233.23.13 and sets the PSH flag (PSH flag in TCP tells the receiving end of the connection to "push" all buffered data to the receiving #application)
#5. Web server 95.233.23.13 acknowledges the GET request with a packet with ACK set to the seq of packet (seq 1:111 of packet #4, ack 111 of packet #5)
#6. Web server 95.233.23.13 starts sending data in segments of 1456 bytes (the MSS that PC told the server it can receive)
#7. Web server 95.233.23.13 sends the rest of the HTTP response and sets the PSH flag (tells the client's tcp stack/kernel to send all buffered data over to browser).

This is where the problem occurs as packets with 1456 bytes segments and don't fragment bit set in IP header will not enter the Ipsec tunnel (unless clear-bit is set, but this is not the purpose of this article) as the tunnel interfaces have an MTU of 1400 bytes.
Packets #8 and #9 are the icmp fragmentation needed packets.

Thus, SRX-2 will drop these large segments and will send an "ICMP fragmentation needed" back to the webserver. Tcpdump example of such behavior:
Code:
11:09:49.671733 IP 83.72.75.223.23985 > 95.233.23.13.80: Flags [S], seq 1613827877, win 65535, options [mss 1456,nop,wscale 4,sackOK,TS val 2478456636 ecr 0], length 0
11:09:49.673251 IP 95.233.23.13.80 > 83.72.75.223.23985: Flags [S.], seq 1439513197, ack 1613827878, win 11680, options [mss 1460,nop,wscale 0], length 0
11:09:49.745460 IP 83.72.75.223.23985 > 95.233.23.13.80: Flags [.], ack 1, win 4125, length 0
11:09:49.748949 IP 83.72.75.223.23985 > 95.233.23.13.80: Flags [P.], seq 1:111, ack 1, win 4125, length 110
11:09:49.750956 IP 95.233.23.13.80 > 83.72.75.223.23985: Flags [.], ack 111, win 11570, length 0
11:09:49.871888 IP 95.233.23.13.80 > 83.72.75.223.23985: Flags [.], seq 1:1457, ack 111, win 11570, length 1456
11:09:49.872095 IP 95.233.23.13.80 > 83.72.75.223.23985: Flags [P.], seq 1457:2818, ack 111, win 11570, length 1361
11:09:49.879392 IP 83.72.75.223 > 95.233.23.13: ICMP 10.0.0.1 unreachable - need to frag (mtu 1500), length 36
11:09:49.879397 IP 83.72.75.223 > 95.233.23.13: ICMP 10.0.0.1 unreachable - need to frag (mtu 1500), length 36

To a normal user this will seem like internet is very slow and that specific website doesn't load (as packets that won't fit the tunnel get dropped).

To fix this, Junos can be configured to override MSS parameter of packets entering Ipsec/GRE (in/out for GRE) tunnels (this is done on both devices SRX-1 and SRX-2).
Code:
# set security flow tcp-mss ?                     
Possible completions:
> all-tcp              Enable MSS override for all packets
+ apply-groups         Groups from which to inherit configuration data
+ apply-groups-except  Don't inherit configuration data from these groups
> gre-in               Enable MSS override for all GRE packets coming out of an IPSec tunnel
> gre-out              Enable MSS override for all GRE packets entering an IPsec tunnel
> ipsec-vpn            Enable MSS override for all packets entering IPSec tunnel
# set security flow tcp-mss ipsec-vpn mss 1360


And here's the tcpdump example:
Code:
11:23:44.450420 IP 83.72.75.223.20614 > 95.233.23.13.80: Flags [S], seq 3483318893, win 65535, options [mss 1360,nop,wscale 4,sackOK,TS val 2479291524 ecr 0], length 0
11:23:44.451946 IP 95.233.23.13.80 > 83.72.75.223.20614: Flags [S.], seq 425754303, ack 3483318894, win 0, options [mss 1360], length 0
11:23:44.522227 IP 83.72.75.223.20614 > 95.233.23.13.80: Flags [.], ack 1, win 65535, length 0
11:23:44.523656 IP 95.233.23.13.80 > 83.72.75.223.20614: Flags [.], ack 1, win 5840, length 0





Top
debuser
Post  Post subject: Re: Juniper SRX MTU / MSS problems with Ipsec vpn tunnel  |  Posted: Tue Jun 05, 2012 8:07 am

Joined: Thu Aug 06, 2009 2:48 am
Posts: 105

Offline
In my case, the TCP client is always the browser and, unless I'm sending a huge HTTP request, my computer will send smaller-than-Ipsec-MTU packets, so it will not be aware of the MTU limitation of the ipsec segment along the path, as the ICMP "fragmentation needed" is sent only when a large packet arrives to the border of a low-MTU segment, not when a SYN packet with a large MSS is detected (although that wouldn't be such a bad idea).


Top
Tears
Post  Post subject: Re: Juniper SRX MTU / MSS / Fragmentation problems with Ipsec vpn tunnel  |  Posted: Mon Jul 08, 2013 5:54 am

Joined: Mon Jul 08, 2013 5:45 am
Posts: 1

Offline
hi thanks you so much for up dating us with this precis information.you did verb great job keep it up.......

_________________
"ONe Day I will be Part of your World.")


Top
Display posts from previous:  Sort by  
E-mail friendPrint view

Topics related to - "Juniper SRX MTU / MSS / Fragmentation problems with Ipsec vpn tunnel"
 Topics   Author   Replies   Views   Last post 
There are no new unread posts for this topic. Juniper SRX Hub-and-Spoke IPSEC VPN \w HUB behind NAT.

mandrei99

0

1234

Tue Oct 29, 2013 11:25 am

mandrei99 View the latest post

There are no new unread posts for this topic. OpenSSL CA signed certificates based Ipsec VPN between Two Juniper SRX devices

debuser

2

6591

Thu Jun 27, 2013 10:40 am

mandrei99 View the latest post

There are no new unread posts for this topic. Juniper SRX 11.4: Bypass IPSEC VPN IKE ID validation for "remote-identity"

mandrei99

0

1932

Thu Oct 31, 2013 5:00 am

mandrei99 View the latest post

There are no new unread posts for this topic. Attachment(s) Juniper SRX Spoke-to-Spoke IPSEC VPN \w spokes behind NAT.

mandrei99

0

1984

Tue Oct 29, 2013 9:22 am

mandrei99 View the latest post

There are no new unread posts for this topic. Linux site to site GRE over IPSEC VPN tunnels using racoon & kame ipsec-tools

mandrei99

0

9898

Tue Jan 13, 2015 6:26 am

mandrei99 View the latest post

There are no new unread posts for this topic. Site2Site Ipsec/Dialup/ike v2

balzac123

0

589

Wed Sep 16, 2015 9:07 am

balzac123 View the latest post

There are no new unread posts for this topic. Iphone/Ipad Ipsec VPNs using SSL certificates - How to use OpenSSL to generate and format certs

mandrei99

0

2826

Wed Apr 10, 2013 5:42 am

mandrei99 View the latest post

There are no new unread posts for this topic. PKI: How to import OpenSSL private key and public certificate in Juniper SRX

mandrei99

0

25716

Fri Dec 12, 2014 10:07 am

mandrei99 View the latest post

There are no new unread posts for this topic. Juniper SRX: Main mode for dynamic peer with Preshared key based authentication is not allowed

mandrei99

0

1461

Fri Jan 09, 2015 11:41 am

mandrei99 View the latest post

There are no new unread posts for this topic. error: Failed to encode the certificate request in PKCS-10 format - Juniper SRX PKI error

mandrei99

0

1014

Fri Dec 12, 2014 10:32 am

mandrei99 View the latest post

 

Who is online
Users browsing this forum: No registered users and 0 guests
You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum
Jump to:  
News News Site map Site map SitemapIndex SitemapIndex RSS Feed RSS Feed Channel list Channel list


Delete all board cookies | The team | All times are UTC - 5 hours [ DST ]



phpBB SEO