Which command is used to help avoid TCP Fragmentation when configuring IPSec on a NetScreen device?
A.
set flow
B.
set tcp-mss flow
C.
set flow tcp-mss
D.
set mss-flow size
Explanation:
It is possible that phase 2 of Internet Key Exchange (IKE) is failing because of a fragmentation issue. When IKE phase 2 negotiation is encrypted, an additional IPSec header is added which can result in a large packet. Depending on the media types between the two IKE gateways, it is possible that a link may have an MTU setting smaller than the IKE phase 2 packet size.
Workaround
Set the Maximum Segment Size (MSS) for all traffic passing through a tunnel. To set the MSS to 1400 bytes (recommended), from the CLI, issue the command:
set flow tcp-mss 1400 [Enter]
http://2550.support.netscreen.safeharbor.com/knowbase/root/public/nskb1474.htm