Juniper SRX with Telekom VDSL connection issues due to MTU/MSS

Verfasst am 18.05.2020 von

After writing a short installation path to set up a Telekom VDSL connection with a Juniper SRX using PPPoE, I borrowed a Juniper SRX300 for testing purposes after a short time. Here I made a mistake after a quick configuration, which tested my patience a few days later.

What was my problem?
There were web pages available and sometimes the TLS handshake in the browser took ages or did not happen at all. Changing the browser from Firefox to Chromium and back did not help.
In the first step I even unpacked the Internet-Explorer on my Windows machine – even without any apparent success.

Websites like 1password.com (or my.1password.com) and netflix.com could not be loaded. During my research I came across other websites like sonicwall.com or gitlab.com, which also did not load.

Since I had a second line from Unitymedia, I changed the route and tried to see if the websites would load.
See there. The above mentioned web pages are reloading.

So the Telekom…right?
So it was clear, something is wrong with the VDSL connection of the Telekom.
A phone call with the Telekom did not bring any new findings. The line was measured and apart from the fact that I get 80 Mbit/s instead of 100 Mbit/s, nothing unusual was noticeable.

On the basis of the situation, I had to assume that I might have a problem with my new configuration.
The parallel research showed me the MTU (Maximum Transmission Unit) and MSS (Maximum Segment Size). Oh.

So,… MTU & MSS.
There is the MTU, which defines the size of the packets for communication. MSS is directly related. It specifies the space for user data in the TCP/IP packet. Usually Ethernet has an MTU of 1500 bytes of user data, excluding headers with 14 bytes and trailers with 4 bytes.

If you subtract 6 bytes for PPPoE headers and 2 bytes for PPP protocol ID from 1500 bytes, you get 1492 bytes.
Then you have an IP header with 20 bytes and a TCP header with 20 bytes.

After deduction,.. 1452 bytes remain as payload.

Summarized:
MTU = IP header + TCP header + data
MSS = data.

Mathematically…
MSS = 1452 bytes
MTU = 20 bytes + 20 bytes + 1452 bytes
MTU = 1492 bytes

With PPPoE+PPP you calculate data + 8 bytes, therefore the MSS – 8 bytes is calculated and so instead of 1500 bytes you get 1492 bytes.
If I have understood this correctly!

The Juniper SRX300 does it like this:

configure
#Entering configuration mode
set security flow tcp-mss all-tcp mss 1452
commit check
commit and-quit

After the configuration was successfully loaded, there were no more restrictions.
I then checked my pp0.0 interface again to see if the MTU was set properly. Additionally under “security flow”, if the MSS is correct here too..

interfaces {
    pp0 {
        unit 0 {
            family inet {
                mtu 1492;
                negotiate-address;
            }
        }
    }
}
security {
    flow {
        tcp-mss {
            all-tcp {
                mss 1452;
            }
        }
    }
}

In summary

A careless mistake led to the fact that certain web pages or services did not want to function any longer.
If I had paid proper attention to my article Juniper SRX with Telekom VDSL PPPoE, the error would not have happened.
Maybe it will help the one or the other, if the same or similar problems occur.

I also thank the author of webcodr.io for the very helpful article, which I also list below as a research link.


https://webcodr.io/2018/02/telekom-vdsl-mtu-und-mss-clamping-f%C3%BCr-ipv4-und-ipv6/
https://www.juniper.net/documentation/en_US/junos/topics/concept/pppoe-subscriber-access-mru-mtu-overview.html
https://www.cisco.com/c/en/us/support/docs/ip/transmission-control-protocol-tcp/200932-Ethernet-MTU-and-TCP-MSS-Adjustment-Conc.html
https://www.cisco.com/c/en/us/support/docs/long-reach-ethernet-lre-digital-subscriber-line-xdsl/asymmetric-digital-subscriber-line-adsl/12918-router-mtu.html
http://www.nwlab.net/art/mtu/mtu.html
https://forums.juniper.net/t5/SRX-Services-Gateway/SRX-doesn-t-pass-HTTP-traffic/td-p/277357
https://telekomhilft.telekom.de/t5/Telefonie-Internet/MTU-und-MSS-Wert-bei-VDSL-50-nur-1452-bzw-1412/td-p/955234
https://forums.juniper.net/t5/SRX-Services-Gateway/What-is-wrong-with-my-PPPOE-configuration/m-p/137175#M17485
https://stackoverflow.com/questions/2613734/maximum-packet-size-for-a-tcp-connection
https://www.sonicwall.com/en-us/support/knowledge-base/170505851231244
http://www.networksorcery.com/enp/protocol/pppoe.htm
https://en.wikipedia.org/wiki/Point-to-Point_Protocol_over_Ethernet
https://en.wikipedia.org/wiki/Ethernet_frame
https://de.wikipedia.org/wiki/Maximum_Transmission_Unit