5

I tested my dns servers with the oarc test and my size limit is at least 1403 bytes. I performed the same test before my Juniper ISG 2000 and the result is 2047 bytes.

According to the chapter IP "Fragments Filtered" and this article, I think I have a fragmentation problem.

This article talks about ip virtual-reassembly for cisco but I can't find the equivalent for Juniper.

I prefer to find the good option in JunOS before I talk about this with my net admin :-)

Thanks

bortzmeyer
  • 3,903
  • 1
  • 20
  • 24
2xyo
  • 51
  • 4

2 Answers2

2

The ISG-2000 is actually a stateful firewall with several other features and options (VPN, IPS, etc.). It runs not JunOS but ScreenOS, as it's a NetScreen firewall.

Assuming you're running ScreenOS 6.2.0 or newer, you should be able to enable IP packet reassembly as follows:

set flow force-ip-reassembly
blueadept
  • 516
  • 2
  • 6
0

From what I can tell, there is no option on things other than GRE tunnels, and possibly all tunnels.

Is there any chance of using a stateful firewall, as I believe that may also enable reassembly?

Michael Graff
  • 6,588
  • 1
  • 23
  • 36
  • Yes, it seems a stateful firewall is the only solution if you insist on having a firewall: http://www-jnet.juniper.net/techpubs/software/erx/junose80/swconfig-ip-services/download/firewall-config.pdf "To ward against attacks that use fragmentation, the JUNOS stateful firewall supports virtual reassembly for TCP and UDP packets,..." – bortzmeyer Apr 16 '10 at 06:59