[j-nsp] Traffic drops on IPSEC - SRX3600

Amos Rosenboim amos at oasis-tech.net
Mon Aug 2 16:58:04 EDT 2010


As far as I know the code you are running is the recommended version by Juniper.
However it's important to mention that I have no experience with the high end SRX boxes.
The stuff mentioned below by quoc sounds a little scary to me.

Amos

Sent from my iPhone

On 2 Aug 2010, at 23:44, "Fahad Khan" <fahad.khan at gmail.com<mailto:fahad.khan at gmail.com>> wrote:

I have 3 SPCs and 3 NPCs and running Junos 10.0R3.10, should I need to
upgrade junos?

regards,


Muhammad Fahad Khan
JNCIP - M/T # 834
IT Specialist
Global Technology Services, IBM
fahad at pk.ibm.com<mailto:fahad at pk.ibm.com>
+92-301-8247638
Skype: fahad-ibm
http://pk.linkedin.com/in/muhammadfahadkhan


On Tue, Aug 3, 2010 at 12:02 AM, Quoc Hoang <quochoang at yahoo.com<mailto:quochoang at yahoo.com>> wrote:

I've deployed IPSEC VPNs between a pair of SRX3600 and NS5400 without
issue. SRX was running Junos 9.5r3. Performance wasn't great then.

We recently ran into another vpn performance issue on more recent code,
10.0r2. Avoid running ipsec vpns on the high end SRX till Juniper resolves
the issue unless you are planning to run with a single SPC. The fix will
require an architectural change.

Problem description:
Low throughput is experienced on the Juniper high-end SRX line with systems
that have multiple SPC’s. The issue occurs when a tunnel anchor SPU and the
clear text session SPU are different. The problem exists because hash and
SEQ bit values in the switch header are not accounted for properly when
forwarding the packet to alternative SPU’s.


Quoc

--- On Mon, 8/2/10, Fahad Khan <fahad.khan at gmail.com<mailto:fahad.khan at gmail.com>> wrote:

From: Fahad Khan <fahad.khan at gmail.com<mailto:fahad.khan at gmail.com>>
Subject: [j-nsp] Traffic drops on IPSEC - SRX3600
To: <mailto:juniper-nsp at puck.nether.net> juniper-nsp at puck.nether.net<mailto:juniper-nsp at puck.nether.net>
Date: Monday, August 2, 2010, 4:48 AM
Hi folks,

I am seeing very strange issue on SRX3600 when the traffic
is flown through
an IPSEC VPN tunnel (established with ISG2000), the tunnel
gets up and the
traffic flows properly, but suddenly traffic drops, while
the tunnel remains
up.

And it continues to flow after 15 to 20 time out but again
it starts
droping. I am sure that there is no issue at physical
layer.

Has any body faced it yet??

Please reply ASAP.

Thanks in adv

regards
Muhammad Fahad Khan
JNCIP - M/T # 834
IT Specialist
Global Technology Services, IBM
fahad at pk.ibm.com<mailto:fahad at pk.ibm.com>
+92-301-8247638
Skype: fahad-ibm
http://pk.linkedin.com/in/muhammadfahadkhan
_______________________________________________
juniper-nsp mailing list <mailto:juniper-nsp at puck.nether.net> juniper-nsp at puck.nether.net<mailto:juniper-nsp at puck.nether.net>
https://puck.nether.net/mailman/listinfo/juniper-nsp


_______________________________________________
juniper-nsp mailing list <mailto:juniper-nsp at puck.nether.net> juniper-nsp at puck.nether.net<mailto:juniper-nsp at puck.nether.net>
https://puck.nether.net/mailman/listinfo/juniper-nsp


More information about the juniper-nsp mailing list