[j-nsp] Traffic drops on IPSEC - SRX3600

Fahad Khan fahad.khan at gmail.com
Mon Aug 2 16:38:23 EDT 2010 

I have 3 SPCs and 3 NPCs and running Junos 10.0R3.10, should I need to
upgrade junos?

regards,


Muhammad Fahad Khan
JNCIP - M/T # 834
IT Specialist
Global Technology Services, IBM
fahad at pk.ibm.com
+92-301-8247638
Skype: fahad-ibm
http://pk.linkedin.com/in/muhammadfahadkhan


On Tue, Aug 3, 2010 at 12:02 AM, Quoc Hoang <quochoang at yahoo.com> wrote:

> I've deployed IPSEC VPNs between a pair of SRX3600 and NS5400 without
> issue. SRX was running Junos 9.5r3. Performance wasn't great then.
>
> We recently ran into another vpn performance issue on more recent code,
> 10.0r2. Avoid running ipsec vpns on the high end SRX till Juniper resolves
> the issue unless you are planning to run with a single SPC. The fix will
> require an architectural change.
>
> Problem description:
> Low throughput is experienced on the Juniper high-end SRX line with systems
> that have multiple SPC’s. The issue occurs when a tunnel anchor SPU and the
> clear text session SPU are different. The problem exists because hash and
> SEQ bit values in the switch header are not accounted for properly when
> forwarding the packet to alternative SPU’s.
>
>
> Quoc
>
> --- On Mon, 8/2/10, Fahad Khan <fahad.khan at gmail.com> wrote:
>
> > From: Fahad Khan <fahad.khan at gmail.com>
> > Subject: [j-nsp] Traffic drops on IPSEC - SRX3600
> > To: juniper-nsp at puck.nether.net
> > Date: Monday, August 2, 2010, 4:48 AM
> > Hi folks,
> >
> > I am seeing very strange issue on SRX3600 when the traffic
> > is flown through
> > an IPSEC VPN tunnel (established with ISG2000), the tunnel
> > gets up and the
> > traffic flows properly, but suddenly traffic drops, while
> > the tunnel remains
> > up.
> >
> > And it continues to flow after 15 to 20 time out but again
> > it starts
> > droping. I am sure that there is no issue at physical
> > layer.
> >
> > Has any body faced it yet??
> >
> > Please reply ASAP.
> >
> > Thanks in adv
> >
> > regards
> > Muhammad Fahad Khan
> > JNCIP - M/T # 834
> > IT Specialist
> > Global Technology Services, IBM
> > fahad at pk.ibm.com
> > +92-301-8247638
> > Skype: fahad-ibm
> > http://pk.linkedin.com/in/muhammadfahadkhan
> > _______________________________________________
> > juniper-nsp mailing list juniper-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/juniper-nsp
> >
>

More information about the juniper-nsp mailing list