最近在玩一些淘汰下来的FW,在马云家淘了一些二手的玩玩,在家搭建了一台zabbix监控,配置了onealert的免费通知插件(支持微信、QQ、邮件、短信、电话等),用来监控我家小PP看动画片时长,时间过长就要远程断网或shutdown交换机接口,因为当着面关他电视后果很严重,断他网他会知道是“坏了”,没那么闹腾。
回到正题,以前一直用无线路由器做NAT转发,发现即使是cisco 6900和网件R 7000等千元路由器级别都会用到死机。后来帮别人做项目发现juniper ssg和SRX这种企业级的FW在某宝只要几百元,果断出手搞了一些不同型号来测试。
本文的主角:JUNIPER SRX 210H正式登场
当我用210配置完PPPOE后,部分网站可以打开,部分网站打不开,并且在JUNIPER SSG5上面没有这个问题,所以断定问题在210上。排错思路如下:
一、检查PPPOE链路状态
看起来正常
admin@YY-SRX100H#run show interfaces pp0
Physical interface: pp0, Enabled, Physical link is Up
Interface index: 128, SNMP ifIndex: 501
Type: PPPoE, Link-level type: PPPoE, MTU: 1532
Device flags : Present Running
Interface flags: Point-To-Point SNMP-Traps
Link type : Full-Duplex
Link flags : None
Input rate : 232 bps (0 pps)
Output rate : 0 bps (0 pps)
Logical interface pp0.0 (Index 79) (SNMP ifIndex 563)
Flags: Point-To-Point SNMP-Traps 0x0 Encapsulation: PPPoE
PPPoE:
State: SessionUp, Session ID: 34772,
Session AC name: SZ-BJ-BAS-5.MAN.NE40E, Remote MAC address: da:86:8e:6c:00:19,
Configured AC name: None, Service name: None,
Auto-reconnect timeout: 10 seconds, Idle timeout: Never,
Underlying interface: fe-0/0/1.0 (Index 78)
Input packets : 24
Output packets: 16
Keepalive settings: Interval 10 seconds, Up-count 1, Down-count 3
Keepalive: Input: 3 (00:00:08 ago), Output: 7 (00:00:01 ago)
LCP state: Opened
NCP state: inet: Opened, inet6: Not-configured, iso: Not-configured, mpls: Not-configured
CHAP state: Closed
PAP state: Success
Security: Zone: Null
Protocol inet, MTU: 1492
Flags: Sendbcast-pkt-to-re, User-MTU, Negotiate-Address
Addresses, Flags: Kernel Is-Preferred Is-Primary
Destination: 183.12.26.1, Local: 183.12.26.79
二、检查区域和策略
也都正常,策略全放开
三、根据网上的建议调整MTU为1400
然并卵,问题依旧
set interfaces pp0 unit 0 family inet mtu 1400
四、根据度娘搜遍了大量相关的蛛丝马迹,发现一个很少有人问津的tcp-mss参数调整
凭借我多年运维的经验直觉告诉我,真相很快就要浮出水面了。
The maximum segment size (MSS) is a parameter of the options field of the TCP header that specifies the largest amount of data, specified in bytes, that a computer or communications device can receive in a single TCP segment. It does not count the TCP header or the IP header.[1] The IP datagram containing a TCP segment may be self-contained within a single packet, or it may be reconstructed from several fragmented pieces; either way, the MSS limit applies to the total amount of data contained in the final, reconstructed TCP segment.
To avoid fragmentation in the IP layer, a host must specify the maximum segment size as equal to the largest IP datagram that the host can handle minus the IP header size and TCP header sizes.[2] Therefore, IPv4 hosts are required to be able to handle an MSS of 536 octets (= 576[3] - 20 - 20) and IPv6 hosts are required to be able to handle an MSS of 1220 octets (= 1280[4] - 40 - 20).
Small MSS values will reduce or eliminate IP fragmentation, but will result in higher overhead.[5]
Each direction of data flow can use a different MSS.
For most computer users, the MSS option is established by the operating system.
上面一段话其实简要概之就是,它和TCP有关。。。也别太较真了
于是乎就抱着试一试的态度,结果之前打不开的网页都能打开了
set security flow tcp-mss all-tcp mss 1350
本文转自yangye1985 51CTO博客,原文链接:http://blog.51cto.com/yangye/1874182,如需转载请自行联系原作者
