Juniper SSG防火墙不一样网段相互访问问题

时间 2020-03-10

原文原文链接

问题描述：

Juniper SSG系列防火墙在有××× 拨入或者不一样网段直接互访的时候，有时候会出现PING能够到达，可是业务不能访问的问题，例如，WEB，共享文件等。

问题分析：

这些问题每每是由于数据在传输过程当中，设备对数据包碎片的识别有问题，通常是由于数据包太大，须要分片，而对端又不支持大的分片，故防火墙而将其拒绝掉，这里的数据包通常是指TCP/IP的包。

问题解决：

当启用了Set Flow Path-MTU命令之后，大的数据包到达防火墙之后，防火墙会发送一个"Destination unreachable - fragmentation required"的信息，告诉对端此数据包由于太大分片而致使不能连通，当主动方收到该信息后，他会减少本身的MTU值（set flow all-tcp-mss 数字），以便让其顺利经过防火墙。

下面两条命令都是用于数据传输过程当中修改maximum segment size (MSS)，以便其低于MTU值，从而顺利让数据包经过防火墙。

set flow tcp-mss

用于修改×××的流量

set flow all-tcp-mss

用于修改明文的数据流

TCP-MSS Functionality

The command set flow tcp-mss applies to ××× traffic only. Note that it only affects the firewall that does the encrypting. For example, given the following topology:

PC-A -----FW1--------××× TUNNEL-----------FW2--------PC-B

Only FW2 is set with this command:

FW2-> set flow tcp-mss 1350

Then, if the session is established from PC-A to PC-B, PC-A sends the SYN packet via the tunnel. FW1 does not change the TCP-MSS setting. When the packet is received by the FW2, the TCP-MSS setting will not be changed since the packet is already decrypted. In other words, the TCP-MSS setting will only be changed if the command is set on the firewall where the packet is encrypted, not on the firewall where the packet is getting decrypted.

If you want to change the MSS setting for the sessions originating from PC-A through the tunnel, then set flow tcp-mss 1350 has to be set in the FW1

ALL-TCP-MSS Functionality

The command set flow all-tcp-mss is required when using PPPoE, as PPPoE adds considerable overhead, and fragmentation will occur if the set flow all-tcp-mss command is not enabled. There are also some instances where a router may not be handling fragmentation properly. In these instances, set flow all-tcp-mss may help. For example, if accessing a web site, and not all p_w_picpaths are drawn, this symptom could be due to fragmentation. Applying the set flow all-tcp-mss can resolve this issue.

Note that set flow all-tcp-mss settings apply only to the clear traffic. It is bi-directional and hence modifying the MSS value in the SYN packet for the clear traffic. For example, in the above scenario/topology, let's say the following command is also added to FW2: FW2-> set flow all-tcp-mss 1350 Then, when PC-A establishes a session with PC-B, FW2 will change the TCP-MSS setting for the sessions originating from PC-A to PC-B, because it applies to the packet after it is decrypted.