You have packet loss on an IPsec VPN using the default maximum transmission unit (MTU) where the packets
have the DF-bit (do not fragment) set.
Which configuration solves this problem?
A.
Set an increased MTU value on the physical interface.
B.
Set a reduced MSS value for VPN traffic under the [edit security flow tcp-mss] hierarchy.
C.
Set a reduced MTU value for VPN traffic under the [edit security flow] hierarchy.
D.
Set an increased MSS value on the st0 interface.
no fault divorce
http://www.1ZUYPfsEzI.com/1ZUYPfsEzI
B
You can specify the maximum segment size (MSS) in TCP SYN packets used during session establishment. Decreasing the MSS helps to limit packet fragmentation and to protect against packet loss that can occur when a packet must be fragmented to meet the MTU size but the packet’s DF-bit (do not fragment) is set. The following options can be set under the [edit security flow tcp-mss] hierarchy:
• all-tcp: Sets the MSS on all TCP packets for network traffic.
• gre-in: Enables you to specify the TCP MSS for generic routing encapsulation (GRE) packets that are coming out from an IPsec VPN tunnel. If the device receives a GRE-encapsulated TCP packet with the SYN bit and TCP MSS option set and the TCP MSS option specified in the packet exceeds the TCP MSS specified by the device, the device modifies the TCP MSS value accordingly. By default, a TCP MSS for GRE packets is not set.
• gre-out: Enables you to specify the TCP MSS for GRE packets that are going into an IPsec VPN tunnel. If the device receives a GRE-encapsulated TCP packet with the SYN bit and TCP MSS option set, and the TCP MSS option specified in the packet exceeds the TCP MSS specified by the device, the device modifies the TCP MSS value accordingly. By default, a TCP MSS for GRE packets is not set.
• ipsec-vpn: Enables MSS override for all packets entering an IPsec tunnel.