一個(gè)MSS參數(shù)引發(fā)的“血案”

  最近在玩一些淘汰下來(lái)的FW，在馬云家淘了一些二手的玩玩，在家搭建了一臺(tái)zabbix監(jiān)控，配置了onealert的免費(fèi)通知插件（支持微信、QQ、郵件、短信、電話(huà)等），用來(lái)監(jiān)控我家小PP看動(dòng)畫(huà)片時(shí)長(zhǎng)，時(shí)間過(guò)長(zhǎng)就要遠(yuǎn)程斷網(wǎng)或shutdown交換機(jī)接口，因?yàn)楫?dāng)著面關(guān)他電視后果很?chē)?yán)重，斷他網(wǎng)他會(huì)知道是“壞了”，沒(méi)那么鬧騰。

專(zhuān)注于為中小企業(yè)提供成都網(wǎng)站設(shè)計(jì)、成都做網(wǎng)站、外貿(mào)網(wǎng)站建設(shè)服務(wù),電腦端+手機(jī)端+微信端的三站合一,更高效的管理,為中小企業(yè)額敏免費(fèi)做網(wǎng)站提供優(yōu)質(zhì)的服務(wù)。我們立足成都，凝聚了一批互聯(lián)網(wǎng)行業(yè)人才，有力地推動(dòng)了1000+企業(yè)的穩(wěn)健成長(zhǎng)，幫助中小企業(yè)通過(guò)網(wǎng)站建設(shè)實(shí)現(xiàn)規(guī)模擴(kuò)充和轉(zhuǎn)變。

  回到正題，以前一直用無(wú)線(xiàn)路由器做NAT轉(zhuǎn)發(fā)，發(fā)現(xiàn)即使是cisco 6900和網(wǎng)件R 7000等千元路由器級(jí)別都會(huì)用到死機(jī)。后來(lái)幫別人做項(xiàng)目發(fā)現(xiàn)juniper ssg和SRX這種企業(yè)級(jí)的FW在某寶只要幾百元，果斷出手搞了一些不同型號(hào)來(lái)測(cè)試。

本文的主角：JUNIPER SRX 210H正式登場(chǎng)

當(dāng)我用210配置完P(guān)PPOE后，部分網(wǎng)站可以打開(kāi)，部分網(wǎng)站打不開(kāi)，并且在JUNIPER SSG5上面沒(méi)有這個(gè)問(wèn)題，所以斷定問(wèn)題在210上。排錯(cuò)思路如下：

一、檢查PPPOE鏈路狀態(tài)

看起來(lái)正常

admin@YY-SRX100H#run show interfaces pp0

Physical interface: pp0, Enabled, Physical link is Up

  Interface index: 128, SNMP ifIndex: 501

  Type: PPPoE, Link-level type: PPPoE, MTU: 1532

  Device flags   : Present Running

  Interface flags: Point-To-Point SNMP-Traps

  Link type      : Full-Duplex

  Link flags     : None

  Input rate     : 232 bps (0 pps)

  Output rate    : 0 bps (0 pps)

  Logical interface pp0.0 (Index 79) (SNMP ifIndex 563)

    Flags: Point-To-Point SNMP-Traps 0x0 Encapsulation: PPPoE

    PPPoE:

      State: SessionUp, Session ID: 34772,

      Session AC name: SZ-BJ-BAS-5.MAN.NE40E, Remote MAC address: da:86:8e:6c:00:19,

      Configured AC name: None, Service name: None,

      Auto-reconnect timeout: 10 seconds, Idle timeout: Never,

      Underlying interface: fe-0/0/1.0 (Index 78)

    Input packets : 24 

    Output packets: 16

  Keepalive settings: Interval 10 seconds, Up-count 1, Down-count 3

  Keepalive: Input: 3 (00:00:08 ago), Output: 7 (00:00:01 ago)

  LCP state: Opened

  NCP state: inet: Opened, inet6: Not-configured, iso: Not-configured, mpls: Not-configured

  CHAP state: Closed

  PAP state: Success

    Security: Zone: Null

    Protocol inet, MTU: 1492

      Flags: Sendbcast-pkt-to-re, User-MTU, Negotiate-Address

      Addresses, Flags: Kernel Is-Preferred Is-Primary

        Destination: 183.12.26.1, Local: 183.12.26.79

二、檢查區(qū)域和策略

也都正常，策略全放開(kāi)

三、根據(jù)網(wǎng)上的建議調(diào)整MTU為1400

然并卵，問(wèn)題依舊

set interfaces pp0 unit 0 family inet mtu 1400

四、根據(jù)度娘搜遍了大量相關(guān)的蛛絲馬跡，發(fā)現(xiàn)一個(gè)很少有人問(wèn)津的tcp-mss參數(shù)調(diào)整

憑借我多年運(yùn)維的經(jīng)驗(yàn)直覺(jué)告訴我，真相很快就要浮出水面了。

The maximum segment size (MSS) is a parameter of the options field of the TCP header that specifies the largest amount of data, specified in bytes, that a computer or communications device can receive in a single TCP segment. It does not count the TCP header or the IP header.^[1] The IP datagram containing a TCP segment may be self-contained within a single packet, or it may be reconstructed from several fragmented pieces; either way, the MSS limit applies to the total amount of data contained in the final, reconstructed TCP segment.

To avoid fragmentation in the IP layer, a host must specify the maximum segment size as equal to the largest IP datagram that the host can handle minus the IP header size and TCP header sizes.^[2] Therefore, IPv4 hosts are required to be able to handle an MSS of 536 octets (= 576^[3] - 20 - 20) and IPv6 hosts are required to be able to handle an MSS of 1220 octets (= 1280^[4] - 40 - 20).

Small MSS values will reduce or eliminate IP fragmentation, but will result in higher overhead.^[5]

Each direction of data flow can use a different MSS.

For most computer users, the MSS option is established by the operating system.

上面一段話(huà)其實(shí)簡(jiǎn)要概之就是，它和TCP有關(guān)。。。也別太較真了

于是乎就抱著試一試的態(tài)度，結(jié)果之前打不開(kāi)的網(wǎng)頁(yè)都能打開(kāi)了

set security flow tcp-mss all-tcp mss 1350

五、pppoe全部配置參考本人以下博文

http://yangye.blog.51cto.com/922715/1874180

標(biāo)題名稱(chēng)：一個(gè)MSS參數(shù)引發(fā)的“血案”
標(biāo)題鏈接：http://muchs.cn/article6/ihsiog.html

成都網(wǎng)站建設(shè)公司_創(chuàng)新互聯(lián)，為您提供品牌網(wǎng)站制作、用戶(hù)體驗(yàn)、網(wǎng)站策劃、網(wǎng)站設(shè)計(jì)公司、全網(wǎng)營(yíng)銷(xiāo)推廣、服務(wù)器托管

廣告

聲明：本網(wǎng)站發(fā)布的內(nèi)容（圖片、視頻和文字）以用戶(hù)投稿、用戶(hù)轉(zhuǎn)載內(nèi)容為主，如果涉及侵權(quán)請(qǐng)盡快告知，我們將會(huì)在第一時(shí)間刪除。文章觀點(diǎn)不代表本網(wǎng)站立場(chǎng)，如需處理請(qǐng)聯(lián)系客服。電話(huà)：028-86922220；郵箱：631063699@qq.com。內(nèi)容未經(jīng)允許不得轉(zhuǎn)載，或轉(zhuǎn)載時(shí)需注明來(lái)源： 創(chuàng)新互聯(lián)