How do I configure PMTU on a Juniper SRX series gateway ?

By default IPv4 Path MTU is enabled. However all PMTU options can be located under [set system internet-options ….].

root@srx100# set system internet-options ?
Possible completions:
+ apply-groups         Groups from which to inherit configuration data
+ apply-groups-except  Don’t inherit configuration data from these groups
  gre-path-mtu-discovery  Enable path MTU discovery for GRE tunnels
> icmpv4-rate-limit    Rate-limiting parameters for ICMPv4 messages
> icmpv6-rate-limit    Rate-limiting parameters for ICMPv6 messages
  ipip-path-mtu-discovery  Enable path MTU discovery for IP-IP tunnels
  ipv6-duplicate-addr-detection-transmits  IPv6 Duplicate address detection transmits
  ipv6-path-mtu-discovery  Enable IPv6 Path MTU discovery
  ipv6-path-mtu-discovery-timeout  IPv6 Path MTU Discovery timeout (5..71582788 minutes)
  ipv6-reject-zero-hop-limit  Enable dropping IPv6 packets with zero hop-limit
  no-gre-path-mtu-discovery  Don’t enable path MTU discovery for GRE tunnels
  no-ipip-path-mtu-discovery  Don’t enable path MTU discovery for IP-IP tunnels
  no-ipv6-path-mtu-discovery  Don’t enable IPv6 Path MTU discovery
  no-ipv6-reject-zero-hop-limit  Don’t enable dropping IPv6 packets with zero hop-limit
  no-path-mtu-discovery  Don’t enable Path MTU discovery on TCP connections
  no-source-quench     Don’t react to incoming ICMP Source Quench messages
  no-tcp-reset         Do not send RST TCP packet for packets sent to non-listening ports
  no-tcp-rfc1323       Disable RFC 1323 TCP extensions
  no-tcp-rfc1323-paws  Disable RFC 1323 Protection Against Wrapped Sequence Number extension
  path-mtu-discovery   Enable Path MTU discovery on TCP connections
> source-port          Source port selection parameters
  source-quench        React to incoming ICMP Source Quench messages
  tcp-drop-synfin-set  Drop TCP packets that have both SYN and FIN flags
[edit]

Rick Donato

Want to become an IT Security expert?

Here is our hand-picked selection of the best courses you can find online:
Internet Security Deep Dive course
Complete Cyber Security Course – Hackers Exposed
CompTIA Security+ (SY0-601) Certification Complete course
and our recommended certification practice exams:
AlphaPrep Practice Tests - Free Trial