Powered by Blogger.

How do I configure PMTU on a Juniper SRX series gateway ?

By default IPv4 Path MTU is enabled. However all PMTU options can be located under [set system internet-options ....].



root@srx100# set system internet-options ?
Possible completions:
+ apply-groups         Groups from which to inherit configuration data
+ apply-groups-except  Don't inherit configuration data from these groups
gre-path-mtu-discovery  Enable path MTU discovery for GRE tunnels
> icmpv4-rate-limit    Rate-limiting parameters for ICMPv4 messages
> icmpv6-rate-limit    Rate-limiting parameters for ICMPv6 messages
ipip-path-mtu-discovery  Enable path MTU discovery for IP-IP tunnels
ipv6-duplicate-addr-detection-transmits  IPv6 Duplicate address detection transmits
ipv6-path-mtu-discovery  Enable IPv6 Path MTU discovery
ipv6-path-mtu-discovery-timeout  IPv6 Path MTU Discovery timeout (5..71582788 minutes)
ipv6-reject-zero-hop-limit  Enable dropping IPv6 packets with zero hop-limit
no-gre-path-mtu-discovery  Don't enable path MTU discovery for GRE tunnels
no-ipip-path-mtu-discovery  Don't enable path MTU discovery for IP-IP tunnels
no-ipv6-path-mtu-discovery  Don't enable IPv6 Path MTU discovery
no-ipv6-reject-zero-hop-limit  Don't enable dropping IPv6 packets with zero hop-limit
no-path-mtu-discovery  Don't enable Path MTU discovery on TCP connections
no-source-quench     Don't react to incoming ICMP Source Quench messages
no-tcp-reset         Do not send RST TCP packet for packets sent to non-listening ports
no-tcp-rfc1323       Disable RFC 1323 TCP extensions
no-tcp-rfc1323-paws  Disable RFC 1323 Protection Against Wrapped Sequence Number extension
path-mtu-discovery   Enable Path MTU discovery on TCP connections
> source-port          Source port selection parameters
source-quench        React to incoming ICMP Source Quench messages
tcp-drop-synfin-set  Drop TCP packets that have both SYN and FIN flags
[edit]

To confirm your default settings for PMTU use the following command :

root@srx100> request pfe execute command "show usp flow config" target fwdd
SENT: Ukern command: show usp flow config
GOT:
GOT: Current FLOW configuration:
GOT: ===========================
GOT:
GOT:  Flow main Parameters::
GOT:   allow-dns-reply: disabled (default),
GOT:   Route-change-timeout: 0 (default disabled),
GOT:   Pending-sess-queue-length: 5 (default),
GOT:   Syn-flood-protection tcp-syn-cookie (default),
GOT:   no-inter-node-forwarding: disabled (default),
GOT:  Aging Parameters::
GOT:   early-ageout: 20 (default),
GOT:   low-watermark: 100 (default),
GOT:   high-watermark: 100 (default),
GOT:  TCP MSS Parameters::
GOT:   all-tcp-mss: 1450,
GOT:   ipsec-vpn-tcp-mss: disabled (default),
GOT:   gre-in-tcp-mss: disabled (default),
GOT:   gre-out-tcp-mss: disabled (default),
GOT:  TCP Session Parameters::
GOT:   rst-invalid-session: disabled (default)
GOT:   rst-check-sequence: disabled (default)
GOT:   syn-check: enabled (default)
GOT:   syn-check-in-tunnel: enabled (default)
GOT:   sequence-check: enabled (default)
GOT:   strict-syn-check: disabled (default)
GOT:   tcp-initial-timeout: 20 (default)
GOT:   time-wait-state-session-timeout: 150 (default)
GOT:   trace flags: 0x0
    Blogger Comment
    Facebook Comment