最近在玩一些淘汰下來的FW,在馬云家淘了一些二手的玩玩,在家搭建了一臺zabbix監(jiān)控,配置了onealert的免費通知插件(支持微信、QQ、郵件、短信、電話等),用來監(jiān)控我家小PP看動畫片時長,時間過長就要遠程斷網(wǎng)或shutdown交換機接口,因為當著面關他電視后果很嚴重,斷他網(wǎng)他會知道是“壞了”,沒那么鬧騰。
創(chuàng)新互聯(lián)公司2013年開創(chuàng)至今,是專業(yè)互聯(lián)網(wǎng)技術服務公司,擁有項目成都做網(wǎng)站、成都網(wǎng)站建設網(wǎng)站策劃,項目實施與項目整合能力。我們以讓每一個夢想脫穎而出為使命,1280元涇川做網(wǎng)站,已為上家服務,為涇川各地企業(yè)和個人服務,聯(lián)系電話:18980820575回到正題,以前一直用無線路由器做NAT轉(zhuǎn)發(fā),發(fā)現(xiàn)即使是cisco 6900和網(wǎng)件R 7000等千元路由器級別都會用到死機。后來幫別人做項目發(fā)現(xiàn)juniper ssg和SRX這種企業(yè)級的FW在某寶只要幾百元,果斷出手搞了一些不同型號來測試。
本文的主角:JUNIPER SRX 210H正式登場
當我用210配置完PPPOE后,部分網(wǎng)站可以打開,部分網(wǎng)站打不開,并且在JUNIPER SSG5上面沒有這個問題,所以斷定問題在210上。排錯思路如下:
一、檢查PPPOE鏈路狀態(tài)
看起來正常
admin@YY-SRX100H#run show interfaces pp0
Physical interface: pp0, Enabled, Physical link is Up
Interface index: 128, SNMP ifIndex: 501
Type: PPPoE, Link-level type: PPPoE, MTU: 1532
Device flags : Present Running
Interface flags: Point-To-Point SNMP-Traps
Link type : Full-Duplex
Link flags : None
Input rate : 232 bps (0 pps)
Output rate : 0 bps (0 pps)
Logical interface pp0.0 (Index 79) (SNMP ifIndex 563)
Flags: Point-To-Point SNMP-Traps 0x0 Encapsulation: PPPoE
PPPoE:
State: SessionUp, Session ID: 34772,
Session AC name: SZ-BJ-BAS-5.MAN.NE40E, Remote MAC address: da:86:8e:6c:00:19,
Configured AC name: None, Service name: None,
Auto-reconnect timeout: 10 seconds, Idle timeout: Never,
Underlying interface: fe-0/0/1.0 (Index 78)
Input packets : 24
Output packets: 16
Keepalive settings: Interval 10 seconds, Up-count 1, Down-count 3
Keepalive: Input: 3 (00:00:08 ago), Output: 7 (00:00:01 ago)
LCP state: Opened
NCP state: inet: Opened, inet6: Not-configured, iso: Not-configured, mpls: Not-configured
CHAP state: Closed
PAP state: Success
Security: Zone: Null
Protocol inet, MTU: 1492
Flags: Sendbcast-pkt-to-re, User-MTU, Negotiate-Address
Addresses, Flags: Kernel Is-Preferred Is-Primary
Destination: 183.12.26.1, Local: 183.12.26.79
二、檢查區(qū)域和策略
也都正常,策略全放開
三、根據(jù)網(wǎng)上的建議調(diào)整MTU為1400
然并卵,問題依舊
set interfaces pp0 unit 0 family inet mtu 1400
四、根據(jù)度娘搜遍了大量相關的蛛絲馬跡,發(fā)現(xiàn)一個很少有人問津的tcp-mss參數(shù)調(diào)整
憑借我多年運維的經(jīng)驗直覺告訴我,真相很快就要浮出水面了。
The maximum segment size (MSS) is a parameter of the options field of the TCP header that specifies the largest amount of data, specified in bytes, that a computer or communications device can receive in a single TCP segment. It does not count the TCP header or the IP header.[1] The IP datagram containing a TCP segment may be self-contained within a single packet, or it may be reconstructed from several fragmented pieces; either way, the MSS limit applies to the total amount of data contained in the final, reconstructed TCP segment.
To avoid fragmentation in the IP layer, a host must specify the maximum segment size as equal to the largest IP datagram that the host can handle minus the IP header size and TCP header sizes.[2] Therefore, IPv4 hosts are required to be able to handle an MSS of 536 octets (= 576[3] - 20 - 20) and IPv6 hosts are required to be able to handle an MSS of 1220 octets (= 1280[4] - 40 - 20).
Small MSS values will reduce or eliminate IP fragmentation, but will result in higher overhead.[5]
Each direction of data flow can use a different MSS.
For most computer users, the MSS option is established by the operating system.
上面一段話其實簡要概之就是,它和TCP有關。。。也別太較真了
于是乎就抱著試一試的態(tài)度,結(jié)果之前打不開的網(wǎng)頁都能打開了
set security flow tcp-mss all-tcp mss 1350
五、pppoe全部配置參考本人以下博文
http://yangye.blog.51cto.com/922715/1874180
另外有需要云服務器可以了解下創(chuàng)新互聯(lián)scvps.cn,海內(nèi)外云服務器15元起步,三天無理由+7*72小時售后在線,公司持有idc許可證,提供“云服務器、裸金屬服務器、高防服務器、香港服務器、美國服務器、虛擬主機、免備案服務器”等云主機租用服務以及企業(yè)上云的綜合解決方案,具有“安全穩(wěn)定、簡單易用、服務可用性高、性價比高”等特點與優(yōu)勢,專為企業(yè)上云打造定制,能夠滿足用戶豐富、多元化的應用場景需求。