最近在玩一些淘汰下来的FW，在马云家淘了一些二手的玩玩，在家搭建了一台zabbix监控，配置了onealert的免费通知插件（支持微信、QQ、邮件、短信、电话等），用来监控我家小PP看动画片时长，时间过长就要远程断网或shutdown交换机接口，因为当着面关他电视后果很严重，断他网他会知道是“坏了”，没那么闹腾。

  回到正题，以前一直用无线路由器做NAT转发，发现即使是cisco 6900和网件R 7000等千元路由器级别都会用到死机。后来帮别人做项目发现juniper ssg和SRX这种企业级的FW在某宝只要几百元，果断出手搞了一些不同型号来测试。

本文的主角：JUNIPER SRX 210H正式登场

当我用210配置完PPPOE后，部分网站可以打开，部分网站打不开，并且在JUNIPER SSG5上面没有这个问题，所以断定问题在210上。排错思路如下：

一、检查PPPOE链路状态

看起来正常

admin@YY-SRX100H#run show interfaces pp0

Physical interface: pp0, Enabled, Physical link is Up

  Interface index: 128, SNMP ifIndex: 501

  Type: PPPoE, Link-level type: PPPoE, MTU: 1532

  Device flags   : Present Running

  Interface flags: Point-To-Point SNMP-Traps

  Link type      : Full-Duplex

  Link flags     : None

  Input rate     : 232 bps (0 pps)

  Output rate    : 0 bps (0 pps)

  Logical interface pp0.0 (Index 79) (SNMP ifIndex 563)

    Flags: Point-To-Point SNMP-Traps 0x0 Encapsulation: PPPoE

    PPPoE:

      State: SessionUp, Session ID: 34772,

      Session AC name: SZ-BJ-BAS-5.MAN.NE40E, Remote MAC address: da:86:8e:6c:00:19,

      Configured AC name: None, Service name: None,

      Auto-reconnect timeout: 10 seconds, Idle timeout: Never,

      Underlying interface: fe-0/0/1.0 (Index 78)

    Input packets : 24 

    Output packets: 16

  Keepalive settings: Interval 10 seconds, Up-count 1, Down-count 3

  Keepalive: Input: 3 (00:00:08 ago), Output: 7 (00:00:01 ago)

  LCP state: Opened

  NCP state: inet: Opened, inet6: Not-configured, iso: Not-configured, mpls: Not-configured

  CHAP state: Closed

  PAP state: Success

    Security: Zone: Null

    Protocol inet, MTU: 1492

      Flags: Sendbcast-pkt-to-re, User-MTU, Negotiate-Address

      Addresses, Flags: Kernel Is-Preferred Is-Primary

        Destination: 183.12.26.1, Local: 183.12.26.79

二、检查区域和策略

也都正常，策略全放开

三、根据网上的建议调整MTU为1400

然并卵，问题依旧

set interfaces pp0 unit 0 family inet mtu 1400

四、根据度娘搜遍了大量相关的蛛丝马迹，发现一个很少有人问津的tcp-mss参数调整

凭借我多年运维的经验直觉告诉我，真相很快就要浮出水面了。

The maximum segment size (MSS) is a parameter of the options field of the  header that specifies the largest amount of data, specified in , that a computer or communications device can receive in a single . It does not count the  or the . The  containing a TCP segment may be self-contained within a single packet, or it may be reconstructed from several  pieces; either way, the MSS limit applies to the total amount of data contained in the final, reconstructed TCP segment.

To avoid fragmentation in the , a host must specify the maximum segment size as equal to the largest IP datagram that the host can handle minus the IP header size and TCP header sizes. Therefore,  hosts are required to be able to handle an MSS of 536 octets (= 576 - 20 - 20) and  hosts are required to be able to handle an MSS of 1220 octets (= 1280 - 40 - 20).

Small MSS values will reduce or eliminate IP fragmentation, but will result in higher .

Each direction of data flow can use a different MSS.

For most computer users, the MSS option is established by the .

上面一段话其实简要概之就是，它和TCP有关。。。也别太较真了

于是乎就抱着试一试的态度，结果之前打不开的网页都能打开了

set security flow tcp-mss all-tcp mss 1350

五、pppoe全部配置参考本人以下博文