Hi Alex, Its already configured with value 1350.
Regards, Atif. On Tue, Feb 19, 2013 at 8:03 PM, Alex Arseniev <alex.arsen...@gmail.com>wrote: > http://www.juniper.net/**techpubs/software/junos-** > security/junos-security10.2/**junos-security-swconfig-** > security/topic-41894.html<http://www.juniper.net/techpubs/software/junos-security/junos-security10.2/junos-security-swconfig-security/topic-41894.html> > > set security flow tcp-mss ipsec-vpn mss 1300 > > - should fix it. > Thanks > Alex > > ----- Original Message ----- From: "Muhammad Atif Jauhar" < > atif.jau...@gmail.com> > To: <juniper-nsp@puck.nether.net> > Sent: Tuesday, February 19, 2013 3:25 PM > Subject: Re: [j-nsp] IPSec Tunnel between Remote office and main Office > > > Hi, >> >> One of our client has currently below topology to connect all remote sides >> >>> to main office. >>> >>> >>> >>> Remote Site-1(SRX240) ----------------------E1------**----------- Router >>> --------------GE--------------**--- Main Office (SRX 650) >>> >>> | >>> >>> | >>> >>> | >>> Remote Site-x(SRX240) ----------------------E1------**------------------ >>> >>> Following are other part of configuration: >>> >>> 1. All devices running RIP because Router is very old and need extra >>> support license for OSPF. >>> 2. Route based IPSec tunnel is configured between both Remote site SRX240 >>> and SRX650. >>> 3. All E1 links on remote side and Ge link between SRX650 are in Untrust >>> Zone >>> 4. All st interfaces are in VPN Zone, LAN interfaces are in Trust Zone. >>> 5. Policies are allowed between different sources and destination between >>> VPN and Trust Zone. >>> 6. Traffic is denied between Untrust and VPN/Trust Zone. >>> >>> Client want to remove Router from topology and connect of E1 links on >>> SRX650. >>> >>> We have perform following steps to migrate one link for testing: >>> >>> 1. Remove E1 link from router and connect it to SRX650. >>> 2. Put above E1 link in RIP and Untrust Zone. >>> 3. Put Routing Policies E1 link in RIP to stop learning Trust subnets >>> from E1 link. So that only routes will learn from St link. Only Ge >>> interface IP is learned from E1 link. >>> 3. We didn't change any VPN configuration on both side and IPSec tunnel >>> is >>> comes up and also traffic is passing. >>> External interface in VPN Configuration on SRX650 still is Ge >>> interface >>> VPN IKE Gateway on Remote site is same Ge interface IP on >>> SRX650. >>> >>> We observe following thing: >>> >>> 1. When we access remote firewall, session hanged sometime and also >>> output >>> of any command displayed slowly. >>> >>> 2. When we access remote firewall directly from main office SRX, >> session completely hanged, Once we put command of bigger output like >> request support information or show configuration etc. >> 3. If we access same way in step 2 for other remote firewalls there is >> no issue. >> >> Kindly let us know, there is any issue If we have Directly connected link >> but we are establishing IPSec tunnel with other Interface IP like Ge >> interface on SRX650. IKE Gateway on SRX650 for remote firewall is same E1 >> link Interface. Means on remote firewall IKE gateway is Ge interface of >> SRX650 and On SRX650 IKE Gateway is E1 link of remote firewall. >> >> Any way to troubleshoot session hanging and slowness. >> Regards, >> >> Muhammad Atif Jauhar >> (+966-56-00-04-985) >> ______________________________**_________________ >> juniper-nsp mailing list juniper-nsp@puck.nether.net >> https://puck.nether.net/**mailman/listinfo/juniper-nsp<https://puck.nether.net/mailman/listinfo/juniper-nsp> >> >> > -- Regards, Muhammad Atif Jauhar (+966-56-00-04-985) _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp