Shulou(Shulou.com)06/01 Report--

Recently, I have been playing some eliminated FW. I have bought some second-hand games at Jack Ma's house. I have set up a zabbix monitor at home and equipped with a free notification plug-in for onealert (support for Wechat, QQ, email, SMS, phone, etc.). It is used to monitor my little PP watching cartoons for a long time, and if it takes too long, he will have to be remotely disconnected from the network or shutdown switch interface, because the consequences of shutting off his TV in front of him are very serious, and he will know it is "broken" if he disconnects his network. It's not that noisy.

Back to the point, I used to use wireless routers to do NAT forwarding, and found that even the thousand-yuan router level such as cisco 6900 and network element R 7000 would be used to crash. Later, I helped others to do a project and found that the enterprise-level FW of juniper ssg and SRX cost only a few hundred yuan in a certain treasure, and decisively made a number of different models to test.

The protagonist of this article: JUNIPER SRX 210H makes its official debut.

When I configured PPPOE with 210s, some websites could be opened, others could not be opened, and there was no such problem on JUNIPER SSG5, so I decided that the problem was on 210s. The train of thought for troubleshooting is as follows:

1. Check the link status of PPPOE

Looks normal.

Admin@YY-SRX100H#run show interfaces pp0

Physical interface: pp0, Enabled, Physical link is Up

Interface index: 128, SNMP ifIndex: 501

Type: PPPoE, Link-level type: PPPoE, MTU: 1532

Device flags: Present Running

Interface flags: Point-To-Point SNMP-Traps

Link type: Full-Duplex

Link flags: None

Input rate: 232 bps (0 pps)

Output rate: 0 bps (0 pps)

Logical interface pp0.0 (Index 79) (SNMP ifIndex 563)

Flags: Point-To-Point SNMP-Traps 0x0 Encapsulation: PPPoE

PPPoE:

State: SessionUp, Session ID: 34772

Session AC name: SZ-BJ-BAS-5.MAN.NE40E, Remote MAC address: da:86:8e:6c:00:19

Configured AC name: None, Service name: None

Auto-reconnect timeout: 10 seconds, Idle timeout: Never

Underlying interface: fe-0/0/1.0 (Index 78)

Input packets: 24

Output packets: 16

Keepalive settings: Interval 10 seconds, Up-count 1, Down-count 3

Keepalive: Input: 3 (00:00:08 ago), Output: 7 (00:00:01 ago)

LCP state: Opened

NCP state: inet: Opened, inet6: Not-configured, iso: Not-configured, mpls: Not-configured

CHAP state: Closed

PAP state: Success

Security: Zone: Null

Protocol inet, MTU: 1492

Flags: Sendbcast-pkt-to-re, User-MTU, Negotiate-Address

Addresses, Flags: Kernel Is-Preferred Is-Primary

Destination: 183.12.26.1, Local: 183.12.26.79

II. Check areas and strategies

It's all normal, and the strategy is completely open.

Third, adjust the MTU to 1400 according to the suggestions on the Internet

But with eggs, the problem is still the same.

Set interfaces pp0 unit 0 family inet mtu 1400

Fourth, according to du Niang searched a large number of related clues, found a few people asked about the adjustment of tcp-mss parameters

With my years of experience in operation and maintenance, my intuition tells me that the truth will soon come out.

The maximum segment size (MSS) is a parameter of the options field of the TCP header that specifies the largest amount of data, specified in bytes, that a computer or communications device can receive in a single TCP segment. It does not count the TCP header or the IP header. [1] The IP datagram containing a TCP segment may be self-contained within a single packet, or it may be reconstructed from several fragmented pieces; either way, the MSS limit applies to the total amount of data contained in the final, reconstructed TCP segment.

To avoid fragmentation in the IP layer, a host must specify the maximum segment size as equal to the largest IP datagram that the host can handle minus the IP header size and TCP header sizes. Therefore, IPv4 hosts are required to be able to handle an MSS of 536 octets (= 576 [3]-20-20) and IPv6 hosts are required to be able to handle an MSS of 1220 octets (= 1280 [4]-40-20).

Small MSS values will reduce or eliminate IP fragmentation, but will result in higher overhead. [5]

Each direction of data flow can use a different MSS.

For most computer users, the MSS option is established by the operating system.

The above paragraph is actually a brief summary, it has something to do with TCP. Don't take it too seriously.

So he took the attitude of giving it a try, and as a result, all the pages that could not be opened before could be opened.

Set security flow tcp-mss all-tcp mss 1350

5. For the full configuration of pppoe, please refer to my blog post below.

Http://yangye.blog.51cto.com/922715/1874180

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.