[j-nsp] Traffic drops on IPSEC - SRX3600

Fahad Khan fahad.khan at gmail.com
Tue Aug 3 09:36:25 EDT 2010 

Hi Jerome,

When are u gonna try that?

Has any body got the solution???

regards,
Muhammad Fahad Khan
JNCIP - M/T # 834
IT Specialist
Global Technology Services, IBM
fahad at pk.ibm.com
+92-301-8247638
Skype: fahad-ibm
http://pk.linkedin.com/in/muhammadfahadkhan


On Tue, Aug 3, 2010 at 3:18 PM, Jérôme Fleury <jerome at fleury.net> wrote:

> Hi there,
>
> I think I'm experiencing the same issue here:
>
> SRX 3600 in cluster mode, running 10.1R2.8
> 1 SPC / 1 NPC per chassis
> VPN in policy based mode with a remote CheckPoint
>
> I can clearly see packet loss in the way SRX -> Checkpoint, resulting
> in very poor performances in the tunnel
>
> We'll try to upgrade to 10.1R3.7 to see if it fixes the issue.
>
> On Tue, Aug 3, 2010 at 09:38, Fahad Khan <fahad.khan at gmail.com> wrote:
> > Very scary!!!
> >
> > regards,
> >
> > Muhammad Fahad Khan
> > JNCIP - M/T # 834
> > IT Specialist
> > Global Technology Services, IBM
> > fahad at pk.ibm.com
> > +92-301-8247638
> > Skype: fahad-ibm
> > http://pk.linkedin.com/in/muhammadfahadkhan
> >
> >
> > On Tue, Aug 3, 2010 at 9:35 AM, Ivan Ivanov <ivanov.ivan at gmail.com>
> wrote:
> >
> >> Hm, this sounds more than scary!
> >>
> >> Soon I will now if there is the same problem with 10.0R3.10 on 3600
> >> cluster.
> >>
> >> So now I have good experience with router-based VPNs starting from
> >> routing-instance. Policy-based are working also, but I found
> router-based
> >> more scalable. But no with real traffic tested, until end of the week I
> will
> >> let you know.
> >>
> >> Ivan,
> >>
> >> On Mon, Aug 2, 2010 at 23:58, Amos Rosenboim <amos at oasis-tech.net>
> wrote:
> >>
> >>> As far as I know the code you are running is the recommended version by
> >>> Juniper.
> >>> However it's important to mention that I have no experience with the
> high
> >>> end SRX boxes.
> >>> The stuff mentioned below by quoc sounds a little scary to me.
> >>>
> >>> Amos
> >>>
> >>> Sent from my iPhone
> >>>
> >>> On 2 Aug 2010, at 23:44, "Fahad Khan" <fahad.khan at gmail.com<mailto:
> >>> fahad.khan at gmail.com>> wrote:
> >>>
> >>> I have 3 SPCs and 3 NPCs and running Junos 10.0R3.10, should I need to
> >>> upgrade junos?
> >>>
> >>> regards,
> >>>
> >>>
> >>> Muhammad Fahad Khan
> >>> JNCIP - M/T # 834
> >>> IT Specialist
> >>> Global Technology Services, IBM
> >>> fahad at pk.ibm.com<mailto:fahad at pk.ibm.com>
> >>>
> >>> +92-301-8247638
> >>> Skype: fahad-ibm
> >>> http://pk.linkedin.com/in/muhammadfahadkhan
> >>>
> >>>
> >>> On Tue, Aug 3, 2010 at 12:02 AM, Quoc Hoang <quochoang at yahoo.com
> <mailto:
> >>> quochoang at yahoo.com>> wrote:
> >>>
> >>> I've deployed IPSEC VPNs between a pair of SRX3600 and NS5400 without
> >>> issue. SRX was running Junos 9.5r3. Performance wasn't great then.
> >>>
> >>> We recently ran into another vpn performance issue on more recent code,
> >>> 10.0r2. Avoid running ipsec vpns on the high end SRX till Juniper
> resolves
> >>> the issue unless you are planning to run with a single SPC. The fix
> will
> >>> require an architectural change.
> >>>
> >>> Problem description:
> >>> Low throughput is experienced on the Juniper high-end SRX line with
> >>> systems
> >>> that have multiple SPC’s. The issue occurs when a tunnel anchor SPU and
> >>> the
> >>> clear text session SPU are different. The problem exists because hash
> and
> >>> SEQ bit values in the switch header are not accounted for properly when
> >>> forwarding the packet to alternative SPU’s.
> >>>
> >>>
> >>> Quoc
> >>>
> >>> --- On Mon, 8/2/10, Fahad Khan <fahad.khan at gmail.com<mailto:
> >>> fahad.khan at gmail.com>> wrote:
> >>>
> >>> From: Fahad Khan <fahad.khan at gmail.com<mailto:fahad.khan at gmail.com>>
> >>>
> >>> Subject: [j-nsp] Traffic drops on IPSEC - SRX3600
> >>> To: <mailto:juniper-nsp at puck.nether.net> juniper-nsp at puck.nether.net
> >>> <mailto:juniper-nsp at puck.nether.net>
> >>>
> >>> Date: Monday, August 2, 2010, 4:48 AM
> >>> Hi folks,
> >>>
> >>> I am seeing very strange issue on SRX3600 when the traffic
> >>> is flown through
> >>> an IPSEC VPN tunnel (established with ISG2000), the tunnel
> >>> gets up and the
> >>> traffic flows properly, but suddenly traffic drops, while
> >>> the tunnel remains
> >>> up.
> >>>
> >>> And it continues to flow after 15 to 20 time out but again
> >>> it starts
> >>> droping. I am sure that there is no issue at physical
> >>> layer.
> >>>
> >>> Has any body faced it yet??
> >>>
> >>> Please reply ASAP.
> >>>
> >>> Thanks in adv
> >>>
> >>> regards
> >>> Muhammad Fahad Khan
> >>> JNCIP - M/T # 834
> >>> IT Specialist
> >>> Global Technology Services, IBM
> >>> fahad at pk.ibm.com<mailto:fahad at pk.ibm.com>
> >>>
> >>> +92-301-8247638
> >>> Skype: fahad-ibm
> >>> http://pk.linkedin.com/in/muhammadfahadkhan
> >>> _______________________________________________
> >>> juniper-nsp mailing list <mailto:juniper-nsp at puck.nether.net>
> >>> juniper-nsp at puck.nether.net<mailto:juniper-nsp at puck.nether.net>
> >>>
> >>> https://puck.nether.net/mailman/listinfo/juniper-nsp
> >>>
> >>>
> >>> _______________________________________________
> >>> juniper-nsp mailing list <mailto:juniper-nsp at puck.nether.net>
> >>> juniper-nsp at puck.nether.net<mailto:juniper-nsp at puck.nether.net>
> >>>
> >>> https://puck.nether.net/mailman/listinfo/juniper-nsp
> >>> _______________________________________________
> >>> juniper-nsp mailing list juniper-nsp at puck.nether.net
> >>> https://puck.nether.net/mailman/listinfo/juniper-nsp
> >>>
> >>
> >>
> >>
> >> --
> >> Best Regards!
> >>
> >> Ivan Ivanov
> >>
> > _______________________________________________
> > juniper-nsp mailing list juniper-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/juniper-nsp
> >
>

More information about the juniper-nsp mailing list