Tags:Discovery encapsulation ipsec juniper mtu netscreen Path MTU screenos vpn
If you have site to site IPSec VPNs configured between two network with your Juniper Netscreen or SSG firewalls and clients from one network access servers or services from the other network then it is advisable to enable Path MTU Discovery support on the Juniper firewalls.
Juniper Netscreen or SSG firewalls running Screen OS by default disable the Path MTU Discovery support. This means, when an IP Packet with DF bit set ("1") in the ip Header and its size after IPSec Encapsulation is more the MTU of the Juniper VPN Firewall arrives at the VPN Firewall, the firewall will ignore the "DF" bit and simply fragments the packets and forwards it to the appropriate tunnel interface. This can cause serious problems with some applications. A classic example is the Microsoft Applications that rely on NetBIOS over TCP/IP which wouldn't prefer the packets being fragmented (and hence DF set).
It is advisable that the Path MTU Discovery support is enabled on the Juniper VPN Firewalls. When enabled in the above scenario, the Firewall will drop the packet instead and send an "ICMP Destination Unreachable (Datagram Too Big)" message (ICMP Type 3 Code 4 message) back to the host with its MTU value. The source host then adjusts its assumed Path MTU value appropriately and sends the packet accordingly so the packet size is well within the MTU of the firewall and hence the packet is not fragmented and is forwarded as such.
To enable Path MTU Discovery in Juniper firewalls running Screen OS logon as an admin user and run the following commands:
Set Path MTU
SSG20> set flow path-mtu
To verify the change
SSG20> get config | incl path
Remember, this needs to be enabled on the other VPN Peer as well.
This change should make users on either side a happy bunny!!!