

发表于:2025-02-01 作者:千家信息网编辑
千家信息网最后更新 2025年02月01日,最近在玩一些淘汰下来的FW,在马云家淘了一些二手的玩玩,在家搭建了一台zabbix监控,配置了onealert的免费通知插件(支持微信、QQ、邮件、短信、电话等),用来监控我家小PP看动画片时长,时间
千家信息网最后更新 2025年02月01日一个MSS参数引发的“血案”


回到正题,以前一直用无线路由器做NAT转发,发现即使是cisco 6900和网件R 7000等千元路由器级别都会用到死机。后来帮别人做项目发现juniper ssg和SRX这种企业级的FW在某宝只要几百元,果断出手搞了一些不同型号来测试。

本文的主角:JUNIPER SRX 210H正式登场

当我用210配置完PPPOE后,部分网站可以打开,部分网站打不开,并且在JUNIPER SSG5上面没有这个问题,所以断定问题在210上。排错思路如下:



admin@YY-SRX100H#run show interfaces pp0

Physical interface: pp0, Enabled, Physical link is Up

Interface index: 128, SNMP ifIndex: 501

Type: PPPoE, Link-level type: PPPoE, MTU: 1532

Device flags : Present Running

Interface flags: Point-To-Point SNMP-Traps

Link type : Full-Duplex

Link flags : None

Input rate : 232 bps (0 pps)

Output rate : 0 bps (0 pps)

Logical interface pp0.0 (Index 79) (SNMP ifIndex 563)

Flags: Point-To-Point SNMP-Traps 0x0 Encapsulation: PPPoE


State: SessionUp, Session ID: 34772,

Session AC name: SZ-BJ-BAS-5.MAN.NE40E, Remote MAC address: da:86:8e:6c:00:19,

Configured AC name: None, Service name: None,

Auto-reconnect timeout: 10 seconds, Idle timeout: Never,

Underlying interface: fe-0/0/1.0 (Index 78)

Input packets : 24

Output packets: 16

Keepalive settings: Interval 10 seconds, Up-count 1, Down-count 3

Keepalive: Input: 3 (00:00:08 ago), Output: 7 (00:00:01 ago)

LCP state: Opened

NCP state: inet: Opened, inet6: Not-configured, iso: Not-configured, mpls: Not-configured

CHAP state: Closed

PAP state: Success

Security: Zone: Null

Protocol inet, MTU: 1492

Flags: Sendbcast-pkt-to-re, User-MTU, Negotiate-Address

Addresses, Flags: Kernel Is-Preferred Is-Primary

Destination:, Local:





set interfaces pp0 unit 0 family inet mtu 1400



The maximum segment size (MSS) is a parameter of the options field of the TCP header that specifies the largest amount of data, specified in bytes, that a computer or communications device can receive in a single TCP segment. It does not count the TCP header or the IP header.[1] The IP datagram containing a TCP segment may be self-contained within a single packet, or it may be reconstructed from several fragmented pieces; either way, the MSS limit applies to the total amount of data contained in the final, reconstructed TCP segment.

To avoid fragmentation in the IP layer, a host must specify the maximum segment size as equal to the largest IP datagram that the host can handle minus the IP header size and TCP header sizes.[2] Therefore, IPv4 hosts are required to be able to handle an MSS of 536 octets (= 576[3] - 20 - 20) and IPv6 hosts are required to be able to handle an MSS of 1220 octets (= 1280[4] - 40 - 20).

Small MSS values will reduce or eliminate IP fragmentation, but will result in higher overhead.[5]

Each direction of data flow can use a different MSS.

For most computer users, the MSS option is established by the operating system.



set security flow tcp-mss all-tcp mss 1350

