[j-nsp] Traffic drops on IPSEC - SRX3600

Jérôme Fleury jerome at fleury.net
Tue Aug 3 06:18:04 EDT 2010


Hi there,

I think I'm experiencing the same issue here:

SRX 3600 in cluster mode, running 10.1R2.8
1 SPC / 1 NPC per chassis
VPN in policy based mode with a remote CheckPoint

I can clearly see packet loss in the way SRX -> Checkpoint, resulting
in very poor performances in the tunnel

We'll try to upgrade to 10.1R3.7 to see if it fixes the issue.

On Tue, Aug 3, 2010 at 09:38, Fahad Khan <fahad.khan at gmail.com> wrote:
> Very scary!!!
>
> regards,
>
> Muhammad Fahad Khan
> JNCIP - M/T # 834
> IT Specialist
> Global Technology Services, IBM
> fahad at pk.ibm.com
> +92-301-8247638
> Skype: fahad-ibm
> http://pk.linkedin.com/in/muhammadfahadkhan
>
>
> On Tue, Aug 3, 2010 at 9:35 AM, Ivan Ivanov <ivanov.ivan at gmail.com> wrote:
>
>> Hm, this sounds more than scary!
>>
>> Soon I will now if there is the same problem with 10.0R3.10 on 3600
>> cluster.
>>
>> So now I have good experience with router-based VPNs starting from
>> routing-instance. Policy-based are working also, but I found router-based
>> more scalable. But no with real traffic tested, until end of the week I will
>> let you know.
>>
>> Ivan,
>>
>> On Mon, Aug 2, 2010 at 23:58, Amos Rosenboim <amos at oasis-tech.net> wrote:
>>
>>> As far as I know the code you are running is the recommended version by
>>> Juniper.
>>> However it's important to mention that I have no experience with the high
>>> end SRX boxes.
>>> The stuff mentioned below by quoc sounds a little scary to me.
>>>
>>> Amos
>>>
>>> Sent from my iPhone
>>>
>>> On 2 Aug 2010, at 23:44, "Fahad Khan" <fahad.khan at gmail.com<mailto:
>>> fahad.khan at gmail.com>> wrote:
>>>
>>> I have 3 SPCs and 3 NPCs and running Junos 10.0R3.10, should I need to
>>> upgrade junos?
>>>
>>> regards,
>>>
>>>
>>> Muhammad Fahad Khan
>>> JNCIP - M/T # 834
>>> IT Specialist
>>> Global Technology Services, IBM
>>> fahad at pk.ibm.com<mailto:fahad at pk.ibm.com>
>>>
>>> +92-301-8247638
>>> Skype: fahad-ibm
>>> http://pk.linkedin.com/in/muhammadfahadkhan
>>>
>>>
>>> On Tue, Aug 3, 2010 at 12:02 AM, Quoc Hoang <quochoang at yahoo.com<mailto:
>>> quochoang at yahoo.com>> wrote:
>>>
>>> I've deployed IPSEC VPNs between a pair of SRX3600 and NS5400 without
>>> issue. SRX was running Junos 9.5r3. Performance wasn't great then.
>>>
>>> We recently ran into another vpn performance issue on more recent code,
>>> 10.0r2. Avoid running ipsec vpns on the high end SRX till Juniper resolves
>>> the issue unless you are planning to run with a single SPC. The fix will
>>> require an architectural change.
>>>
>>> Problem description:
>>> Low throughput is experienced on the Juniper high-end SRX line with
>>> systems
>>> that have multiple SPC’s. The issue occurs when a tunnel anchor SPU and
>>> the
>>> clear text session SPU are different. The problem exists because hash and
>>> SEQ bit values in the switch header are not accounted for properly when
>>> forwarding the packet to alternative SPU’s.
>>>
>>>
>>> Quoc
>>>
>>> --- On Mon, 8/2/10, Fahad Khan <fahad.khan at gmail.com<mailto:
>>> fahad.khan at gmail.com>> wrote:
>>>
>>> From: Fahad Khan <fahad.khan at gmail.com<mailto:fahad.khan at gmail.com>>
>>>
>>> Subject: [j-nsp] Traffic drops on IPSEC - SRX3600
>>> To: <mailto:juniper-nsp at puck.nether.net> juniper-nsp at puck.nether.net
>>> <mailto:juniper-nsp at puck.nether.net>
>>>
>>> Date: Monday, August 2, 2010, 4:48 AM
>>> Hi folks,
>>>
>>> I am seeing very strange issue on SRX3600 when the traffic
>>> is flown through
>>> an IPSEC VPN tunnel (established with ISG2000), the tunnel
>>> gets up and the
>>> traffic flows properly, but suddenly traffic drops, while
>>> the tunnel remains
>>> up.
>>>
>>> And it continues to flow after 15 to 20 time out but again
>>> it starts
>>> droping. I am sure that there is no issue at physical
>>> layer.
>>>
>>> Has any body faced it yet??
>>>
>>> Please reply ASAP.
>>>
>>> Thanks in adv
>>>
>>> regards
>>> Muhammad Fahad Khan
>>> JNCIP - M/T # 834
>>> IT Specialist
>>> Global Technology Services, IBM
>>> fahad at pk.ibm.com<mailto:fahad at pk.ibm.com>
>>>
>>> +92-301-8247638
>>> Skype: fahad-ibm
>>> http://pk.linkedin.com/in/muhammadfahadkhan
>>> _______________________________________________
>>> juniper-nsp mailing list <mailto:juniper-nsp at puck.nether.net>
>>> juniper-nsp at puck.nether.net<mailto:juniper-nsp at puck.nether.net>
>>>
>>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>>
>>>
>>> _______________________________________________
>>> juniper-nsp mailing list <mailto:juniper-nsp at puck.nether.net>
>>> juniper-nsp at puck.nether.net<mailto:juniper-nsp at puck.nether.net>
>>>
>>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>> _______________________________________________
>>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>>
>>
>>
>>
>> --
>> Best Regards!
>>
>> Ivan Ivanov
>>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>



More information about the juniper-nsp mailing list