[j-nsp] Traffic drops on IPSEC - SRX3600
Quoc Hoang
quochoang at yahoo.com
Tue Aug 3 10:02:25 EDT 2010
Not sure what encryption algorithm is being used but we have noticed AES and perhaps others as well on JunOS that it requires more overhead.
Check your ipsec mss. JTAC has recommended mss 1350 (previously we had it 1400 which was our default on the netscreens). It resolved one of our performance issues.
Hope that helps.
quoc
--- On Tue, 8/3/10, Fahad Khan <fahad.khan at gmail.com> wrote:
> From: Fahad Khan <fahad.khan at gmail.com>
> Subject: Re: [j-nsp] Traffic drops on IPSEC - SRX3600
> To: "Jérôme Fleury" <jerome at fleury.net>
> Cc: "juniper-nsp at puck.nether.net" <juniper-nsp at puck.nether.net>
> Date: Tuesday, August 3, 2010, 6:36 AM
> Hi Jerome,
>
> When are u gonna try that?
>
> Has any body got the solution???
>
> regards,
> Muhammad Fahad Khan
> JNCIP - M/T # 834
> IT Specialist
> Global Technology Services, IBM
> fahad at pk.ibm.com
> +92-301-8247638
> Skype: fahad-ibm
> http://pk.linkedin.com/in/muhammadfahadkhan
>
>
> On Tue, Aug 3, 2010 at 3:18 PM, Jérôme Fleury <jerome at fleury.net>
> wrote:
>
> > Hi there,
> >
> > I think I'm experiencing the same issue here:
> >
> > SRX 3600 in cluster mode, running 10.1R2.8
> > 1 SPC / 1 NPC per chassis
> > VPN in policy based mode with a remote CheckPoint
> >
> > I can clearly see packet loss in the way SRX ->
> Checkpoint, resulting
> > in very poor performances in the tunnel
> >
> > We'll try to upgrade to 10.1R3.7 to see if it fixes
> the issue.
> >
> > On Tue, Aug 3, 2010 at 09:38, Fahad Khan <fahad.khan at gmail.com>
> wrote:
> > > Very scary!!!
> > >
> > > regards,
> > >
> > > Muhammad Fahad Khan
> > > JNCIP - M/T # 834
> > > IT Specialist
> > > Global Technology Services, IBM
> > > fahad at pk.ibm.com
> > > +92-301-8247638
> > > Skype: fahad-ibm
> > > http://pk.linkedin.com/in/muhammadfahadkhan
> > >
> > >
> > > On Tue, Aug 3, 2010 at 9:35 AM, Ivan Ivanov
> <ivanov.ivan at gmail.com>
> > wrote:
> > >
> > >> Hm, this sounds more than scary!
> > >>
> > >> Soon I will now if there is the same problem
> with 10.0R3.10 on 3600
> > >> cluster.
> > >>
> > >> So now I have good experience with
> router-based VPNs starting from
> > >> routing-instance. Policy-based are working
> also, but I found
> > router-based
> > >> more scalable. But no with real traffic
> tested, until end of the week I
> > will
> > >> let you know.
> > >>
> > >> Ivan,
> > >>
> > >> On Mon, Aug 2, 2010 at 23:58, Amos Rosenboim
> <amos at oasis-tech.net>
> > wrote:
> > >>
> > >>> As far as I know the code you are running
> is the recommended version by
> > >>> Juniper.
> > >>> However it's important to mention that I
> have no experience with the
> > high
> > >>> end SRX boxes.
> > >>> The stuff mentioned below by quoc sounds
> a little scary to me.
> > >>>
> > >>> Amos
> > >>>
> > >>> Sent from my iPhone
> > >>>
> > >>> On 2 Aug 2010, at 23:44, "Fahad Khan"
> <fahad.khan at gmail.com<mailto:
> > >>> fahad.khan at gmail.com>>
> wrote:
> > >>>
> > >>> I have 3 SPCs and 3 NPCs and running
> Junos 10.0R3.10, should I need to
> > >>> upgrade junos?
> > >>>
> > >>> regards,
> > >>>
> > >>>
> > >>> Muhammad Fahad Khan
> > >>> JNCIP - M/T # 834
> > >>> IT Specialist
> > >>> Global Technology Services, IBM
> > >>> fahad at pk.ibm.com<mailto:fahad at pk.ibm.com>
> > >>>
> > >>> +92-301-8247638
> > >>> Skype: fahad-ibm
> > >>> http://pk.linkedin.com/in/muhammadfahadkhan
> > >>>
> > >>>
> > >>> On Tue, Aug 3, 2010 at 12:02 AM, Quoc
> Hoang <quochoang at yahoo.com
> > <mailto:
> > >>> quochoang at yahoo.com>>
> wrote:
> > >>>
> > >>> I've deployed IPSEC VPNs between a pair
> of SRX3600 and NS5400 without
> > >>> issue. SRX was running Junos 9.5r3.
> Performance wasn't great then.
> > >>>
> > >>> We recently ran into another vpn
> performance issue on more recent code,
> > >>> 10.0r2. Avoid running ipsec vpns on the
> high end SRX till Juniper
> > resolves
> > >>> the issue unless you are planning to run
> with a single SPC. The fix
> > will
> > >>> require an architectural change.
> > >>>
> > >>> Problem description:
> > >>> Low throughput is experienced on the
> Juniper high-end SRX line with
> > >>> systems
> > >>> that have multiple SPC’s. The issue
> occurs when a tunnel anchor SPU and
> > >>> the
> > >>> clear text session SPU are different. The
> problem exists because hash
> > and
> > >>> SEQ bit values in the switch header are
> not accounted for properly when
> > >>> forwarding the packet to alternative
> SPU’s.
> > >>>
> > >>>
> > >>> Quoc
> > >>>
> > >>> --- On Mon, 8/2/10, Fahad Khan <fahad.khan at gmail.com<mailto:
> > >>> fahad.khan at gmail.com>>
> wrote:
> > >>>
> > >>> From: Fahad Khan <fahad.khan at gmail.com<mailto:fahad.khan at gmail.com>>
> > >>>
> > >>> Subject: [j-nsp] Traffic drops on IPSEC -
> SRX3600
> > >>> To: <mailto:juniper-nsp at puck.nether.net>
> juniper-nsp at puck.nether.net
> > >>> <mailto:juniper-nsp at puck.nether.net>
> > >>>
> > >>> Date: Monday, August 2, 2010, 4:48 AM
> > >>> Hi folks,
> > >>>
> > >>> I am seeing very strange issue on SRX3600
> when the traffic
> > >>> is flown through
> > >>> an IPSEC VPN tunnel (established with
> ISG2000), the tunnel
> > >>> gets up and the
> > >>> traffic flows properly, but suddenly
> traffic drops, while
> > >>> the tunnel remains
> > >>> up.
> > >>>
> > >>> And it continues to flow after 15 to 20
> time out but again
> > >>> it starts
> > >>> droping. I am sure that there is no issue
> at physical
> > >>> layer.
> > >>>
> > >>> Has any body faced it yet??
> > >>>
> > >>> Please reply ASAP.
> > >>>
> > >>> Thanks in adv
> > >>>
> > >>> regards
> > >>> Muhammad Fahad Khan
> > >>> JNCIP - M/T # 834
> > >>> IT Specialist
> > >>> Global Technology Services, IBM
> > >>> fahad at pk.ibm.com<mailto:fahad at pk.ibm.com>
> > >>>
> > >>> +92-301-8247638
> > >>> Skype: fahad-ibm
> > >>> http://pk.linkedin.com/in/muhammadfahadkhan
> > >>>
> _______________________________________________
> > >>> juniper-nsp mailing list <mailto:juniper-nsp at puck.nether.net>
> > >>> juniper-nsp at puck.nether.net<mailto:juniper-nsp at puck.nether.net>
> > >>>
> > >>> https://puck.nether.net/mailman/listinfo/juniper-nsp
> > >>>
> > >>>
> > >>>
> _______________________________________________
> > >>> juniper-nsp mailing list <mailto:juniper-nsp at puck.nether.net>
> > >>> juniper-nsp at puck.nether.net<mailto:juniper-nsp at puck.nether.net>
> > >>>
> > >>> https://puck.nether.net/mailman/listinfo/juniper-nsp
> > >>>
> _______________________________________________
> > >>> juniper-nsp mailing list juniper-nsp at puck.nether.net
> > >>> https://puck.nether.net/mailman/listinfo/juniper-nsp
> > >>>
> > >>
> > >>
> > >>
> > >> --
> > >> Best Regards!
> > >>
> > >> Ivan Ivanov
> > >>
> > > _______________________________________________
> > > juniper-nsp mailing list juniper-nsp at puck.nether.net
> > > https://puck.nether.net/mailman/listinfo/juniper-nsp
> > >
> >
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
More information about the juniper-nsp
mailing list