[j-nsp] Traffic drops on IPSEC - SRX3600

Quoc Hoang quochoang at yahoo.com
Mon Aug 2 15:02:32 EDT 2010


I've deployed IPSEC VPNs between a pair of SRX3600 and NS5400 without issue. SRX was running Junos 9.5r3. Performance wasn't great then.

We recently ran into another vpn performance issue on more recent code, 10.0r2. Avoid running ipsec vpns on the high end SRX till Juniper resolves the issue unless you are planning to run with a single SPC. The fix will require an architectural change.

Problem description:
Low throughput is experienced on the Juniper high-end SRX line with systems that have multiple SPC’s. The issue occurs when a tunnel anchor SPU and the clear text session SPU are different. The problem exists because hash and SEQ bit values in the switch header are not accounted for properly when forwarding the packet to alternative SPU’s. 


Quoc

--- On Mon, 8/2/10, Fahad Khan <fahad.khan at gmail.com> wrote:

> From: Fahad Khan <fahad.khan at gmail.com>
> Subject: [j-nsp] Traffic drops on IPSEC - SRX3600
> To: juniper-nsp at puck.nether.net
> Date: Monday, August 2, 2010, 4:48 AM
> Hi folks,
> 
> I am seeing very strange issue on SRX3600 when the traffic
> is flown through
> an IPSEC VPN tunnel (established with ISG2000), the tunnel
> gets up and the
> traffic flows properly, but suddenly traffic drops, while
> the tunnel remains
> up.
> 
> And it continues to flow after 15 to 20 time out but again
> it starts
> droping. I am sure that there is no issue at physical
> layer.
> 
> Has any body faced it yet??
> 
> Please reply ASAP.
> 
> Thanks in adv
> 
> regards
> Muhammad Fahad Khan
> JNCIP - M/T # 834
> IT Specialist
> Global Technology Services, IBM
> fahad at pk.ibm.com
> +92-301-8247638
> Skype: fahad-ibm
> http://pk.linkedin.com/in/muhammadfahadkhan
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
> 



More information about the juniper-nsp mailing list