tag:blogger.com,1999:blog-8889285000186294932.post4465938691442478895..comments2024-03-17T02:45:18.077-07:00Comments on Ken Felix Security Blog: TCP mss adjustment Juniper SRXUnknownnoreply@blogger.comBlogger2125tag:blogger.com,1999:blog-8889285000186294932.post-7078790421549362502015-01-13T13:28:27.644-08:002015-01-13T13:28:27.644-08:00Will that's a hard question to answer. Any 3 o...Will that's a hard question to answer. Any 3 of the devices could effect the final tcp-mss value.<br /><br />Let's take your FW1 and FW2 assuming your local and remote firewalls. If any one are doing tcp-mss intercept and adjustment than they can reduce the mss value in the client SYN or server SYN-ACK. The lowest value would be the final mss value used.<br /><br />Also, if its a LB as reverse ProxyServer or forward ProxyServer, than it could also reduce the MSS value . Take a ServerIron, we can apply the mss value on the virtualserver definitions<br /><br />e.g<br />server VirServer<br />port 9023 tcp-mss 1410<br /><br />The same apply for F5 , A10 and I haven't done alot with citrix but I believe citrixNS ca n do the same.<br /><br />FWIW & IMHO ICMP should never be considered or trusted for PMTud since most devices will 1> drop icmp 2> filter icmp or 3> rate limit icmpsocpuppetshttps://www.blogger.com/profile/13096043188091774607noreply@blogger.comtag:blogger.com,1999:blog-8889285000186294932.post-27931780080010483052015-01-13T09:47:12.502-08:002015-01-13T09:47:12.502-08:00Ken -
Good article -
In chain of devices: FW1-FW2-...Ken -<br />Good article -<br />In chain of devices: FW1-FW2-LBProxy-Webserver, what is the MSS the LBProxy has to have and who recommends the negotiated MSS, the client connecting and sending the icmp or the webserver ?buhofromepnhttps://www.blogger.com/profile/00780441783983101156noreply@blogger.com