Juniper SSG防火牆不一樣網段相互訪問問題

問題描述：

Juniper SSG系列防火牆在有××× 撥入 或者不一樣網段直接互訪的時候，有時候會出現PING能夠到達，可是業務不能訪問的問題，例如，WEB，共享文件等。

 

問題分析：

 

這些問題每每是由於數據在傳輸過程當中，設備對數據包碎片的識別有問題，通常是由於數據包太大，須要分片，而對端又不支持大的分片，故防火牆而將其拒絕掉，這裏的數據包通常是指TCP/IP的包。

 

問題解決：

 

當啓用了Set Flow Path-MTU命令之後，大的數據包到達防火牆之後，防火牆會發送一個"Destination unreachable - fragmentation required"的信息，告訴對端此數據包由於太大分片而致使不能連通，當主動方收到該信息後，他會減少本身的MTU值（set flow all-tcp-mss 數字），以便讓其順利經過防火牆。

 

下面兩條命令都是用於數據傳輸過程當中修改maximum segment size (MSS)，以便其低於MTU值，從而順利讓數據包經過防火牆。

set flow tcp-mss

用於修改×××的流量

set flow all-tcp-mss

用於修改明文的數據流

 

 

 

TCP-MSS Functionality

The command set flow tcp-mss applies to ××× traffic only.   Note that it only affects the firewall that does the encrypting.  For example, given the following topology:

PC-A -----FW1--------××× TUNNEL-----------FW2--------PC-B

Only FW2 is set with this command:

FW2-> set flow tcp-mss 1350

Then, if the session is established from PC-A to PC-B, PC-A sends the SYN packet via the tunnel.  FW1 does not change the TCP-MSS setting.  When the packet is received by the FW2, the TCP-MSS setting will not be changed since the packet is already decrypted.  In other words, the TCP-MSS setting will only be changed if the command is set on the firewall where the packet is encrypted, not on the firewall where the packet is getting decrypted.

If you want to change the MSS setting for the sessions originating from PC-A through the tunnel, then set flow tcp-mss 1350 has to be set in the FW1

ALL-TCP-MSS Functionality

The command set flow all-tcp-mss is required when using PPPoE, as PPPoE adds considerable overhead, and fragmentation will occur if the set flow all-tcp-mss command is not enabled.  There are also some instances where a router may not be handling fragmentation properly.  In these instances, set flow all-tcp-mss may help.  For example, if accessing a web site, and not all p_w_picpaths are drawn, this symptom could be due to fragmentation.  Applying the set flow all-tcp-mss can resolve this issue.

Note that set flow all-tcp-mss settings apply only to the clear traffic. It is bi-directional and hence modifying the MSS value in the SYN packet for the clear traffic. For example, in the above scenario/topology, let's say the following command is also added to FW2: FW2-> set flow all-tcp-mss 1350 Then, when PC-A establishes a session with PC-B, FW2 will change the TCP-MSS setting for the sessions originating from PC-A to PC-B, because it applies to the packet after it is decrypted.