网络时代交流中心

 找回密码
 立即注册
搜索
热搜: 活动 交友 discuz
查看: 2101|回复: 0

Juniper SSG防火墙不同网段相互访问问题

[复制链接]

281

主题

303

帖子

8万

积分

管理员

Rank: 9Rank: 9Rank: 9

积分
80889
发表于 2014-11-12 23:29:25 | 显示全部楼层 |阅读模式
问题描述:
Juniper SSG系列防火墙在有VPN 拨入 或者不同网段直接互访的时候,有时候会出现PING可以到达,但是业务不能访问的问题,例如,WEB,共享文件等。

问题分析:

这些问题往往是因为数据在传输过程中,设备对数据包碎片的识别有问题,一般是因为数据包太大,需要分片,而对端又不支持大的分片,故防火墙而将其拒绝掉,这里的数据包一般是指TCP/IP的包。

问题解决:

当启用了Set Flow Path-MTU命令以后,大的数据包到达防火墙以后,防火墙会发送一个"Destination unreachable - fragmentation required"的信息,告诉对端此数据包因为太大分片而导致不能连通,当主动方收到该信息后,他会减小自己的MTU值(set flow all-tcp-mss 数字),以便让其顺利通过防火墙。

下面两条命令都是用于数据传输过程中修改maximum segment size (MSS),以便其低于MTU值,从而顺利让数据包通过防火墙。
set flow tcp-mss
用于修改VPN的流量
set flow all-tcp-mss
用于修改明文的数据流



TCP-MSS Functionality
The command set flow tcp-mss applies to VPN traffic only.   Note that it only affects the firewall that does the encrypting.  For example, given the following topology:
PC-A -----FW1--------VPN TUNNEL-----------FW2--------PC-B
Only FW2 is set with this command:
FW2-> set flow tcp-mss 1350
Then, if the session is established from PC-A to PC-B, PC-A sends the SYN packet via the tunnel.  FW1 does not change the TCP-MSS setting.  When the packet is received by the FW2, the TCP-MSS setting will not be changed since the packet is already decrypted.  In other words, the TCP-MSS setting will only be changed if the command is set on the firewall where the packet is encrypted, not on the firewall where the packet is getting decrypted.
If you want to change the MSS setting for the sessions originating from PC-A through the tunnel, then set flow tcp-mss 1350 has to be set in the FW1
ALL-TCP-MSS Functionality
The command set flow all-tcp-mss is required when using PPPoE, as PPPoE adds considerable overhead, and fragmentation will occur if the set flow all-tcp-mss command is not enabled.  There are also some instances where a router may not be handling fragmentation properly.  In these instances, set flow all-tcp-mss may help.  For example, if accessing a web site, and not all images are drawn, this symptom could be due to fragmentation.  Applying the set flow all-tcp-mss can resolve this issue.

Note that set flow all-tcp-mss settings apply only to the clear traffic. It is bi-directional and hence modifying the MSS value in the SYN packet for the clear traffic.

For example, in the above scenario/topology, let's say the following command is also added to FW2:

FW2-> set flow all-tcp-mss 1350

Then, when PC-A establishes a session with PC-B, FW2 will change the TCP-MSS setting for the sessions originating from PC-A to PC-B, because it applies to the packet after it is decrypted.

本文出自 “genisystem” 博客,请务必保留此出处http://genisystem.blog.51cto.com/39344/368740


回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

深圳市原创科技有限公司
快速回复 返回顶部 返回列表