[j-nsp] Traffic drops on IPSEC - SRX3600

Ivan Ivanov ivanov.ivan at gmail.com
Tue Aug 3 00:35:57 EDT 2010


Hm, this sounds more than scary!

Soon I will now if there is the same problem with 10.0R3.10 on 3600 cluster.

So now I have good experience with router-based VPNs starting from
routing-instance. Policy-based are working also, but I found router-based
more scalable. But no with real traffic tested, until end of the week I will
let you know.

Ivan,

On Mon, Aug 2, 2010 at 23:58, Amos Rosenboim <amos at oasis-tech.net> wrote:

> As far as I know the code you are running is the recommended version by
> Juniper.
> However it's important to mention that I have no experience with the high
> end SRX boxes.
> The stuff mentioned below by quoc sounds a little scary to me.
>
> Amos
>
> Sent from my iPhone
>
> On 2 Aug 2010, at 23:44, "Fahad Khan" <fahad.khan at gmail.com<mailto:
> fahad.khan at gmail.com>> wrote:
>
> I have 3 SPCs and 3 NPCs and running Junos 10.0R3.10, should I need to
> upgrade junos?
>
> regards,
>
>
> Muhammad Fahad Khan
> JNCIP - M/T # 834
> IT Specialist
> Global Technology Services, IBM
> fahad at pk.ibm.com<mailto:fahad at pk.ibm.com>
> +92-301-8247638
> Skype: fahad-ibm
> http://pk.linkedin.com/in/muhammadfahadkhan
>
>
> On Tue, Aug 3, 2010 at 12:02 AM, Quoc Hoang <quochoang at yahoo.com<mailto:
> quochoang at yahoo.com>> wrote:
>
> I've deployed IPSEC VPNs between a pair of SRX3600 and NS5400 without
> issue. SRX was running Junos 9.5r3. Performance wasn't great then.
>
> We recently ran into another vpn performance issue on more recent code,
> 10.0r2. Avoid running ipsec vpns on the high end SRX till Juniper resolves
> the issue unless you are planning to run with a single SPC. The fix will
> require an architectural change.
>
> Problem description:
> Low throughput is experienced on the Juniper high-end SRX line with systems
> that have multiple SPC’s. The issue occurs when a tunnel anchor SPU and the
> clear text session SPU are different. The problem exists because hash and
> SEQ bit values in the switch header are not accounted for properly when
> forwarding the packet to alternative SPU’s.
>
>
> Quoc
>
> --- On Mon, 8/2/10, Fahad Khan <fahad.khan at gmail.com<mailto:
> fahad.khan at gmail.com>> wrote:
>
> From: Fahad Khan <fahad.khan at gmail.com<mailto:fahad.khan at gmail.com>>
> Subject: [j-nsp] Traffic drops on IPSEC - SRX3600
> To: <mailto:juniper-nsp at puck.nether.net> juniper-nsp at puck.nether.net
> <mailto:juniper-nsp at puck.nether.net>
> Date: Monday, August 2, 2010, 4:48 AM
> Hi folks,
>
> I am seeing very strange issue on SRX3600 when the traffic
> is flown through
> an IPSEC VPN tunnel (established with ISG2000), the tunnel
> gets up and the
> traffic flows properly, but suddenly traffic drops, while
> the tunnel remains
> up.
>
> And it continues to flow after 15 to 20 time out but again
> it starts
> droping. I am sure that there is no issue at physical
> layer.
>
> Has any body faced it yet??
>
> Please reply ASAP.
>
> Thanks in adv
>
> regards
> Muhammad Fahad Khan
> JNCIP - M/T # 834
> IT Specialist
> Global Technology Services, IBM
> fahad at pk.ibm.com<mailto:fahad at pk.ibm.com>
> +92-301-8247638
> Skype: fahad-ibm
> http://pk.linkedin.com/in/muhammadfahadkhan
> _______________________________________________
> juniper-nsp mailing list <mailto:juniper-nsp at puck.nether.net>
> juniper-nsp at puck.nether.net<mailto:juniper-nsp at puck.nether.net>
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
>
> _______________________________________________
> juniper-nsp mailing list <mailto:juniper-nsp at puck.nether.net>
> juniper-nsp at puck.nether.net<mailto:juniper-nsp at puck.nether.net>
> https://puck.nether.net/mailman/listinfo/juniper-nsp
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>



-- 
Best Regards!

Ivan Ivanov


More information about the juniper-nsp mailing list