Juniper SRX 1500

Juniper SRX: Clamp TCP MSS on a single interface

Posted by

JunOS has some system wide settings for TCP MSS. These are limited to all TCP, IPSec VPN and GRE. Sometimes you might want to clamp MSS for a particular ingress/egress interface. You can do this in your security policies like this:

from-zone something to-zone somewhere {
    policy a_thing {
        match {
            source-address 1.2.3.4;
            destination-address 4.3.2.1;
            application any;
        }
        then {
            permit {
                tcp-options {
                    initial-tcp-mss 1360;
                    reverse-tcp-mss 1360;
                }
            }
        }
    }
}

This is a bit laborious to maintain and remember to put on all of your rules, especially if you have a lot of zones. If you put the interface you want to clamp MSS on in its own security zone then you can use JunOS groups to apply the MSS settings to all policies:

groups {
    somezone-mss {
        security {
            policies {
                from-zone <*> to-zone somezone {
                    policy <*> {
                        then {
                            permit {
                                tcp-options {
                                    initial-tcp-mss 1360;
                                    reverse-tcp-mss 1360;
                                }
                            }
                        }
                    }
                }
                from-zone somezone to-zone <*> {
                    policy <*> {
                        then {
                            permit {
                                tcp-options {
                                    initial-tcp-mss 1360;
                                    reverse-tcp-mss 1360;
                                }
                            }
                        }
                    }
                }
            }
        }
    }
}
apply-groups [ somezone-mss ];

If you now look at your security policies, piped through display inheritance then you’ll see how this has been evaluated:

show security policies | display inheritance no-comments

Note that this doesn’t work for global policies, only those from and to a particular zone. On global policies, you’ll have to set the MSS manually on each policy.

Leave a Reply

Your email address will not be published.