一个MSS参数引发的“血案”

  最近在玩一些淘汰下来的FW，在马云家淘了一些二手的玩玩，在家搭建了一台zabbix监控，配置了onealert的免费通知插件（支持微信、QQ、邮件、短信、电话等），用来监控我家小PP看动画片时长，时间过长就要远程断网或shutdown交换机接口，因为当着面关他电视后果很严重，断他网他会知道是“坏了”，没那么闹腾。

  回到正题，以前一直用无线路由器做NAT转发，发现即使是cisco 6900和网件R 7000等千元路由器级别都会用到死机。后来帮别人做项目发现juniper ssg和SRX这种企业级的FW在某宝只要几百元，果断出手搞了一些不同型号来测试。

本文的主角：JUNIPER SRX 210H正式登场

当我用210配置完PPPOE后，部分网站可以打开，部分网站打不开，并且在JUNIPER SSG5上面没有这个问题，所以断定问题在210上。排错思路如下：

一、检查PPPOE链路状态

看起来正常

admin@YY-SRX100H#run show interfaces pp0

Physical interface: pp0, Enabled, Physical link is Up

  Interface index: 128, SNMP ifIndex: 501

  Type: PPPoE, Link-level type: PPPoE, MTU: 1532

  Device flags   : Present Running

  Interface flags: Point-To-Point SNMP-Traps

  Link type      : Full-Duplex

  Link flags     : None

  Input rate     : 232 bps (0 pps)

  Output rate    : 0 bps (0 pps)

  Logical interface pp0.0 (Index 79) (SNMP ifIndex 563)

    Flags: Point-To-Point SNMP-Traps 0x0 Encapsulation: PPPoE

    PPPoE:

      State: SessionUp, Session ID: 34772,

      Session AC name: SZ-BJ-BAS-5.MAN.NE40E, Remote MAC address: da:86:8e:6c:00:19,

      Configured AC name: None, Service name: None,

      Auto-reconnect timeout: 10 seconds, Idle timeout: Never,

      Underlying interface: fe-0/0/1.0 (Index 78)

    Input packets : 24 

    Output packets: 16

  Keepalive settings: Interval 10 seconds, Up-count 1, Down-count 3

  Keepalive: Input: 3 (00:00:08 ago), Output: 7 (00:00:01 ago)

  LCP state: Opened

  NCP state: inet: Opened, inet6: Not-configured, iso: Not-configured, mpls: Not-configured

  CHAP state: Closed

  PAP state: Success

    Security: Zone: Null

    Protocol inet, MTU: 1492

      Flags: Sendbcast-pkt-to-re, User-MTU, Negotiate-Address

      Addresses, Flags: Kernel Is-Preferred Is-Primary

        Destination: 183.12.26.1, Local: 183.12.26.79

二、检查区域和策略

也都正常，策略全放开

三、根据网上的建议调整MTU为1400

然并卵，问题依旧

set interfaces pp0 unit 0 family inet mtu 1400

四、根据度娘搜遍了大量相关的蛛丝马迹，发现一个很少有人问津的tcp-mss参数调整

凭借我多年运维的经验直觉告诉我，真相很快就要浮出水面了。

The maximum segment size (MSS) is a parameter of the options field of the TCP header that specifies the largest amount of data, specified in bytes, that a computer or communications device can receive in a single TCP segment. It does not count the TCP header or the IP header.^[1] The IP datagram containing a TCP segment may be self-contained within a single packet, or it may be reconstructed from several fragmented pieces; either way, the MSS limit applies to the total amount of data contained in the final, reconstructed TCP segment.

To avoid fragmentation in the IP layer, a host must specify the maximum segment size as equal to the largest IP datagram that the host can handle minus the IP header size and TCP header sizes.^[2] Therefore, IPv4 hosts are required to be able to handle an MSS of 536 octets (= 576^[3] - 20 - 20) and IPv6 hosts are required to be able to handle an MSS of 1220 octets (= 1280^[4] - 40 - 20).

Small MSS values will reduce or eliminate IP fragmentation, but will result in higher overhead.^[5]

Each direction of data flow can use a different MSS.

For most computer users, the MSS option is established by the operating system.

上面一段话其实简要概之就是，它和TCP有关。。。也别太较真了

于是乎就抱着试一试的态度，结果之前打不开的网页都能打开了

set security flow tcp-mss all-tcp mss 1350

本文转自yangye1985 51CTO博客，原文链接：http://blog.51cto.com/yangye/1874182，如需转载请自行联系原作者