# [SOLVED] Juniper SSG320, VLAN &amp; MTU problem



## traitanen (Feb 28, 2008)

In Short:
We are facing some "minor" problems with our Juniper.
With Juniper SSG320 all devices having a default MTU of 1500 any usage of VLAN tags will jam TCP/IP-connections.

Long version:
Juniper 320M
Firmware Version:
6.0.0r2.0 (Firewall+VPN)
6.0.0r3.0 (Firewall+VPN)

LAN=10.1.1.1/22 (Trust) eth0/0
WORLDGW=10.100.100.2/24 (FW side 10.100.100.1) (Untrust) eth0/2

Above network setup was created using wizard interface in Juniper and it works fine (no VLAN tagging). Addionally, we have allowed everything to pass both directions and the LAN has been tested with NAT and ROUTE options. (all machines and Firewall have MTU 1500 unless stated otherwise)

If we now create a SUB-IF 2.8 with VLAN tag 8 that replaces eth0/2,
then the TCP/IP connections will stop/jam in some point. Ping & tracert 
still works.

After this, if the MTU of sending OR receiving machine is lowered
to 1496 or smaller, then everything works fine again.

Any change to Juniper Interface Admin MTU does not have any effect.

We were testing by eg. opening ssh-connection and executing "tree /"
This ssh-connection will jam. Receiving testing machine was a linux
and clients were a Linux & Windows. This same problem is occuring also
with "real" environment and with http-connections.

LocalLinux <-> eth0/0 FW eth0/2.8 <-> vlan8 RemoteLinux

Also tested with switches:
LocalLinux <-> ciscoSW <-> eth0/0 FW eth2.8 <-> vlan8 hpProcurve (or cisco) portVlan8 <-> RemoteLinux

With switches only, it works:
LocalLinux <-> SW vlan8 <-> vlan8 RemoteLinux

Any suggestions... Anything...We are running out of ideas...


----------



## traitanen (Feb 28, 2008)

*Re: Juniper SSG320, VLAN & MTU problem*

Solved! Fixed in the firmware 6.0.0co4.0


----------

