[j-nsp] Traffic drops on IPSEC - SRX3600

Fahad Khan fahad.khan at gmail.com
Tue Aug 3 03:38:38 EDT 2010 

Very scary!!!

regards,

Muhammad Fahad Khan
JNCIP - M/T # 834
IT Specialist
Global Technology Services, IBM
fahad at pk.ibm.com
+92-301-8247638
Skype: fahad-ibm
http://pk.linkedin.com/in/muhammadfahadkhan


On Tue, Aug 3, 2010 at 9:35 AM, Ivan Ivanov <ivanov.ivan at gmail.com> wrote:

> Hm, this sounds more than scary!
>
> Soon I will now if there is the same problem with 10.0R3.10 on 3600
> cluster.
>
> So now I have good experience with router-based VPNs starting from
> routing-instance. Policy-based are working also, but I found router-based
> more scalable. But no with real traffic tested, until end of the week I will
> let you know.
>
> Ivan,
>
> On Mon, Aug 2, 2010 at 23:58, Amos Rosenboim <amos at oasis-tech.net> wrote:
>
>> As far as I know the code you are running is the recommended version by
>> Juniper.
>> However it's important to mention that I have no experience with the high
>> end SRX boxes.
>> The stuff mentioned below by quoc sounds a little scary to me.
>>
>> Amos
>>
>> Sent from my iPhone
>>
>> On 2 Aug 2010, at 23:44, "Fahad Khan" <fahad.khan at gmail.com<mailto:
>> fahad.khan at gmail.com>> wrote:
>>
>> I have 3 SPCs and 3 NPCs and running Junos 10.0R3.10, should I need to
>> upgrade junos?
>>
>> regards,
>>
>>
>> Muhammad Fahad Khan
>> JNCIP - M/T # 834
>> IT Specialist
>> Global Technology Services, IBM
>> fahad at pk.ibm.com<mailto:fahad at pk.ibm.com>
>>
>> +92-301-8247638
>> Skype: fahad-ibm
>> http://pk.linkedin.com/in/muhammadfahadkhan
>>
>>
>> On Tue, Aug 3, 2010 at 12:02 AM, Quoc Hoang <quochoang at yahoo.com<mailto:
>> quochoang at yahoo.com>> wrote:
>>
>> I've deployed IPSEC VPNs between a pair of SRX3600 and NS5400 without
>> issue. SRX was running Junos 9.5r3. Performance wasn't great then.
>>
>> We recently ran into another vpn performance issue on more recent code,
>> 10.0r2. Avoid running ipsec vpns on the high end SRX till Juniper resolves
>> the issue unless you are planning to run with a single SPC. The fix will
>> require an architectural change.
>>
>> Problem description:
>> Low throughput is experienced on the Juniper high-end SRX line with
>> systems
>> that have multiple SPC’s. The issue occurs when a tunnel anchor SPU and
>> the
>> clear text session SPU are different. The problem exists because hash and
>> SEQ bit values in the switch header are not accounted for properly when
>> forwarding the packet to alternative SPU’s.
>>
>>
>> Quoc
>>
>> --- On Mon, 8/2/10, Fahad Khan <fahad.khan at gmail.com<mailto:
>> fahad.khan at gmail.com>> wrote:
>>
>> From: Fahad Khan <fahad.khan at gmail.com<mailto:fahad.khan at gmail.com>>
>>
>> Subject: [j-nsp] Traffic drops on IPSEC - SRX3600
>> To: <mailto:juniper-nsp at puck.nether.net> juniper-nsp at puck.nether.net
>> <mailto:juniper-nsp at puck.nether.net>
>>
>> Date: Monday, August 2, 2010, 4:48 AM
>> Hi folks,
>>
>> I am seeing very strange issue on SRX3600 when the traffic
>> is flown through
>> an IPSEC VPN tunnel (established with ISG2000), the tunnel
>> gets up and the
>> traffic flows properly, but suddenly traffic drops, while
>> the tunnel remains
>> up.
>>
>> And it continues to flow after 15 to 20 time out but again
>> it starts
>> droping. I am sure that there is no issue at physical
>> layer.
>>
>> Has any body faced it yet??
>>
>> Please reply ASAP.
>>
>> Thanks in adv
>>
>> regards
>> Muhammad Fahad Khan
>> JNCIP - M/T # 834
>> IT Specialist
>> Global Technology Services, IBM
>> fahad at pk.ibm.com<mailto:fahad at pk.ibm.com>
>>
>> +92-301-8247638
>> Skype: fahad-ibm
>> http://pk.linkedin.com/in/muhammadfahadkhan
>> _______________________________________________
>> juniper-nsp mailing list <mailto:juniper-nsp at puck.nether.net>
>> juniper-nsp at puck.nether.net<mailto:juniper-nsp at puck.nether.net>
>>
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>
>>
>> _______________________________________________
>> juniper-nsp mailing list <mailto:juniper-nsp at puck.nether.net>
>> juniper-nsp at puck.nether.net<mailto:juniper-nsp at puck.nether.net>
>>
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>
>
>
>
> --
> Best Regards!
>
> Ivan Ivanov
>

More information about the juniper-nsp mailing list