Re: SRX 3600 MSS Drop

Hello,

---

SPDNet wrote:

 is there a way to limit a range the syn mtu between 1000-1800 on mx ?

 

---

Yes there is - in JUNOS 14.2 or newer and on MX only (not SRX). Here is my NY gift to You:

[edit]
aarseniev@R1# show | compare rollback 1    
[edit interfaces ae0 unit 0 family inet]
+       filter {
+           input f1;
+       }
[edit]
+  class-of-service {
+      forwarding-classes {
+          class MARK queue-num 4;
+      }
+  }
+  firewall {
+      family inet {
+          filter f1 {
+              term t1 {
+                  from {
+                      protocol tcp;
+                      tcp-flags "(!ack & syn)";
+                  }
+                  then {
+                      forwarding-class MARK;
+                      next term;
+                  }
+              }
+              term t2 {
+                  from {
+                      forwarding-class MARK;
+                      flexible-match-range {
+                          match-start layer-4;
+                          byte-offset 20;
+                          bit-length 32;
+                          range 33817576-33818376;
+                      }
+                  }                    
+                  then {
+                      count TCPSYN;
+                      policer 1m;
+                      accept;
+                  }
+              }
+              term else {
+                  then accept;
+              }
+          }
+      }
+  }

You have to "spend" one Forwarding Class (FC) for that.

"range 33817576-33818376" is in decimal and corresponds to TCP MSS option with values 1000-1800 as You asked.

In hex that would be 0x020403E8 ... 0x02040708.

HTH

Thx

Alex