After writing a short installation guide for setting up a Telekom VDSL connection with a Juniper SRX using PPPoE, I borrowed a Juniper SRX300 for testing purposes. After a quick configuration, I made a mistake, which tested my patience days later.
What was my problem? Some websites were unreachable, and the TLS handshake in the browser took forever or didn’t happen at all. Switching browsers from Firefox to Chromium and back didn’t help. I even tried Internet Explorer on my Windows machine, to no avail.
Websites like 1password.com (or my.1password.com) and netflix.com couldn’t be loaded. During my research, I found other websites like sonicwall.com or gitlab.com that also wouldn’t load.
Since I had a second line from Unitymedia, I switched the route first to see if the websites would load. And indeed, the aforementioned websites loaded again.
So, it’s Telekom…or? It was clear that something was wrong with the Telekom’s VDSL connection. A call to Telekom didn’t bring any new insights. The line was measured, and other than receiving 80 Mbit/s instead of 100 Mbit/s, nothing unusual was found.
Given the situation, I assumed I might have a problem with my new configuration. Parallel research brought MTU (Maximum Transmission Unit) and MSS (Maximum Segment Size) to my attention. Oh.
MTU & MSS, huh? MTU defines the packet size for communication, with MSS directly related, indicating the space for payload data in the TCP/IP packet. Typically, Ethernet has an MTU of 1500 bytes, excluding 14 bytes for the header and 4 bytes for the trailer.
Subtracting 6 bytes for PPPoE header and 2 bytes for PPP protocol ID from 1500 bytes, we get 1492 bytes. Then, there’s an IP header of 20 bytes and a TCP header, also of 20 bytes.
After deductions, we have 1452 bytes as payload.
In summary: MTU = IP header + TCP header + data MSS = data.
Calculation: MSS = 1452 bytes MTU = 20 bytes + 20 bytes + 1452 bytes MTU = 1492 bytes
With PPPoE+PPP, add 8 bytes to data, so MSS becomes MSS - 8 bytes, resulting in 1492 bytes instead of 1500 bytes. Assuming I understood it correctly!
This is how you do it on the Juniper SRX300:
configure
#Entering configuration mode
set security flow tcp-mss all-tcp mss 1452
commit check
commit and-quit
After successfully loading the configuration, there were no more restrictions. I then checked my pp0.0 interface to ensure the MTU was properly set and also verified under “security flow” that the MSS was correct.
interfaces {
pp0 {
unit 0 {
family inet {
mtu 1492;
negotiate-address;
}
}
}
}
security {
flow {
tcp-mss {
all-tcp {
mss 1452;
}
}
}
}
Summary
A careless mistake led to certain websites or services not working for me. If I had paid proper attention to my article on Juniper SRX with Telekom VDSL PPPoE, the error wouldn’t have occurred. Perhaps it will help someone else facing the same or similar issue.
I also thank the author of webcodr.io for the very helpful post, which I list below as a research link.
Sources/Research
https://webcodr.io/2018/02/telekom-vdsl-mtu-und-mss-clamping-f%C3%BCr-ipv4-und-ipv6/
https://www.juniper.net/documentation/en_US/junos/topics/concept/pppoe-subscriber-access-mru-mtu-overview.html
https://www.cisco.com/c/en/us/support/docs/ip/transmission-control-protocol-tcp/200932-Ethernet-MTU-and-TCP-MSS-Adjustment-Conc.html
https://www.cisco.com/c/en/us/support/docs/long-reach-ethernet-lre-digital-subscriber-line-xdsl/asymmetric-digital-subscriber-line-adsl/12918-router-mtu.html
http://www.nwlab.net/art/mtu/mtu.html
https://forums.juniper.net/t5/SRX-Services-Gateway/SRX-doesn-t-pass-HTTP-traffic/td-p/277357
https://telekomhilft.telekom.de/t5/Telefonie-Internet/MTU-und-MSS-Wert-bei-VDSL-50-nur-1452-bzw-1412/td-p/955234
https://forums.juniper.net/t5/SRX-Services-Gateway/What-is-wrong-with-my-PPPOE-configuration/m-p/137175#M17485
https://stackoverflow.com/questions/2613734/maximum-packet-size-for-a-tcp-connection
https://www.sonicwall.com/en-us/support/knowledge-base/170505851231244
http://www.networksorcery.com/enp/protocol/pppoe.htm
https://en.wikipedia.org/wiki/Point-to-Point_Protocol_over_Ethernet
https://en.wikipedia.org/wiki/Ethernet_frame
https://de.wikipedia.org/wiki/Maximum_Transmission_Unit