[j-nsp] Traffic drops on IPSEC - SRX3600

Fahad Khan fahad.khan at gmail.com
Tue Aug 3 12:51:06 EDT 2010 

Mind it, this is SRX3600 in Chassis Cluster environment.

regards,

Muhammad Fahad Khan
JNCIP - M/T # 834
IT Specialist
Global Technology Services, IBM
fahad at pk.ibm.com
+92-301-8247638
Skype: fahad-ibm
http://pk.linkedin.com/in/muhammadfahadkhan


On Tue, Aug 3, 2010 at 9:50 PM, Fahad Khan <fahad.khan at gmail.com> wrote:

> The strange issue is that, the drop is not related with the amount of
> traffic, it relates with the number of user (hence with the number of
> sessions perhaps) , since there was no drop when 4 or 5 users choke the link
> upto 90 MB, but when there comes 100 to 150 users in the building with even
> 10 or 20 MB of traffic, the traffic starts droping, still out of mind from
> Adv JTAC. we are still on Junos 10.0R3.10 as there is no any recommendations
> from JTAC to upgrade the Junos yet.
>
> Can any body provide the solution??
>
> Thanks and regards,
>
>
> Muhammad Fahad Khan
> JNCIP - M/T # 834
> IT Specialist
> Global Technology Services, IBM
> fahad at pk.ibm.com
> +92-301-8247638
> Skype: fahad-ibm
> http://pk.linkedin.com/in/muhammadfahadkhan
>
>
> 2010/8/3 Quoc Hoang <quochoang at yahoo.com>
>
> Not sure what encryption algorithm is being used but we have noticed AES
>> and perhaps others as well on JunOS that it requires more overhead.
>>
>> Check your ipsec mss. JTAC has recommended mss 1350 (previously we had it
>> 1400 which was our default on the netscreens). It resolved one of our
>> performance issues.
>>
>> Hope that helps.
>>
>> quoc
>>
>> --- On Tue, 8/3/10, Fahad Khan <fahad.khan at gmail.com> wrote:
>>
>> > From: Fahad Khan <fahad.khan at gmail.com>
>> > Subject: Re: [j-nsp] Traffic drops on IPSEC - SRX3600
>> > To: "Jérôme Fleury" <jerome at fleury.net>
>> > Cc: "juniper-nsp at puck.nether.net" <juniper-nsp at puck.nether.net>
>> > Date: Tuesday, August 3, 2010, 6:36 AM
>> > Hi Jerome,
>> >
>> > When are u gonna try that?
>> >
>> > Has any body got the solution???
>> >
>> > regards,
>> > Muhammad Fahad Khan
>> > JNCIP - M/T # 834
>> > IT Specialist
>> > Global Technology Services, IBM
>> > fahad at pk.ibm.com
>> > +92-301-8247638
>> > Skype: fahad-ibm
>> > http://pk.linkedin.com/in/muhammadfahadkhan
>> >
>> >
>> > On Tue, Aug 3, 2010 at 3:18 PM, Jérôme Fleury <jerome at fleury.net>
>> > wrote:
>> >
>> > > Hi there,
>> > >
>> > > I think I'm experiencing the same issue here:
>> > >
>> > > SRX 3600 in cluster mode, running 10.1R2.8
>> > > 1 SPC / 1 NPC per chassis
>> > > VPN in policy based mode with a remote CheckPoint
>> > >
>> > > I can clearly see packet loss in the way SRX ->
>> > Checkpoint, resulting
>> > > in very poor performances in the tunnel
>> > >
>> > > We'll try to upgrade to 10.1R3.7 to see if it fixes
>> > the issue.
>> > >
>> > > On Tue, Aug 3, 2010 at 09:38, Fahad Khan <fahad.khan at gmail.com>
>> > wrote:
>> > > > Very scary!!!
>> > > >
>> > > > regards,
>> > > >
>> > > > Muhammad Fahad Khan
>> > > > JNCIP - M/T # 834
>> > > > IT Specialist
>> > > > Global Technology Services, IBM
>> > > > fahad at pk.ibm.com
>> > > > +92-301-8247638
>> > > > Skype: fahad-ibm
>> > > > http://pk.linkedin.com/in/muhammadfahadkhan
>> > > >
>> > > >
>> > > > On Tue, Aug 3, 2010 at 9:35 AM, Ivan Ivanov
>> > <ivanov.ivan at gmail.com>
>> > > wrote:
>> > > >
>> > > >> Hm, this sounds more than scary!
>> > > >>
>> > > >> Soon I will now if there is the same problem
>> > with 10.0R3.10 on 3600
>> > > >> cluster.
>> > > >>
>> > > >> So now I have good experience with
>> > router-based VPNs starting from
>> > > >> routing-instance. Policy-based are working
>> > also, but I found
>> > > router-based
>> > > >> more scalable. But no with real traffic
>> > tested, until end of the week I
>> > > will
>> > > >> let you know.
>> > > >>
>> > > >> Ivan,
>> > > >>
>> > > >> On Mon, Aug 2, 2010 at 23:58, Amos Rosenboim
>> > <amos at oasis-tech.net>
>> > > wrote:
>> > > >>
>> > > >>> As far as I know the code you are running
>> > is the recommended version by
>> > > >>> Juniper.
>> > > >>> However it's important to mention that I
>> > have no experience with the
>> > > high
>> > > >>> end SRX boxes.
>> > > >>> The stuff mentioned below by quoc sounds
>> > a little scary to me.
>> > > >>>
>> > > >>> Amos
>> > > >>>
>> > > >>> Sent from my iPhone
>> > > >>>
>> > > >>> On 2 Aug 2010, at 23:44, "Fahad Khan"
>> > <fahad.khan at gmail.com<mailto:
>> > > >>> fahad.khan at gmail.com>>
>> > wrote:
>> > > >>>
>> > > >>> I have 3 SPCs and 3 NPCs and running
>> > Junos 10.0R3.10, should I need to
>> > > >>> upgrade junos?
>> > > >>>
>> > > >>> regards,
>> > > >>>
>> > > >>>
>> > > >>> Muhammad Fahad Khan
>> > > >>> JNCIP - M/T # 834
>> > > >>> IT Specialist
>> > > >>> Global Technology Services, IBM
>> > > >>> fahad at pk.ibm.com<mailto:fahad at pk.ibm.com>
>> > > >>>
>> > > >>> +92-301-8247638
>> > > >>> Skype: fahad-ibm
>> > > >>> http://pk.linkedin.com/in/muhammadfahadkhan
>> > > >>>
>> > > >>>
>> > > >>> On Tue, Aug 3, 2010 at 12:02 AM, Quoc
>> > Hoang <quochoang at yahoo.com
>> > > <mailto:
>> > > >>> quochoang at yahoo.com>>
>> > wrote:
>> > > >>>
>> > > >>> I've deployed IPSEC VPNs between a pair
>> > of SRX3600 and NS5400 without
>> > > >>> issue. SRX was running Junos 9.5r3.
>> > Performance wasn't great then.
>> > > >>>
>> > > >>> We recently ran into another vpn
>> > performance issue on more recent code,
>> > > >>> 10.0r2. Avoid running ipsec vpns on the
>> > high end SRX till Juniper
>> > > resolves
>> > > >>> the issue unless you are planning to run
>> > with a single SPC. The fix
>> > > will
>> > > >>> require an architectural change.
>> > > >>>
>> > > >>> Problem description:
>> > > >>> Low throughput is experienced on the
>> > Juniper high-end SRX line with
>> > > >>> systems
>> > > >>> that have multiple SPC’s. The issue
>> > occurs when a tunnel anchor SPU and
>> > > >>> the
>> > > >>> clear text session SPU are different. The
>> > problem exists because hash
>> > > and
>> > > >>> SEQ bit values in the switch header are
>> > not accounted for properly when
>> > > >>> forwarding the packet to alternative
>> > SPU’s.
>> > > >>>
>> > > >>>
>> > > >>> Quoc
>> > > >>>
>> > > >>> --- On Mon, 8/2/10, Fahad Khan <fahad.khan at gmail.com<mailto:
>> > > >>> fahad.khan at gmail.com>>
>> > wrote:
>> > > >>>
>> > > >>> From: Fahad Khan <fahad.khan at gmail.com<mailto:
>> fahad.khan at gmail.com>>
>> > > >>>
>> > > >>> Subject: [j-nsp] Traffic drops on IPSEC -
>> > SRX3600
>> > > >>> To: <mailto:juniper-nsp at puck.nether.net>
>> > juniper-nsp at puck.nether.net
>> > > >>> <mailto:juniper-nsp at puck.nether.net>
>> > > >>>
>> > > >>> Date: Monday, August 2, 2010, 4:48 AM
>> > > >>> Hi folks,
>> > > >>>
>> > > >>> I am seeing very strange issue on SRX3600
>> > when the traffic
>> > > >>> is flown through
>> > > >>> an IPSEC VPN tunnel (established with
>> > ISG2000), the tunnel
>> > > >>> gets up and the
>> > > >>> traffic flows properly, but suddenly
>> > traffic drops, while
>> > > >>> the tunnel remains
>> > > >>> up.
>> > > >>>
>> > > >>> And it continues to flow after 15 to 20
>> > time out but again
>> > > >>> it starts
>> > > >>> droping. I am sure that there is no issue
>> > at physical
>> > > >>> layer.
>> > > >>>
>> > > >>> Has any body faced it yet??
>> > > >>>
>> > > >>> Please reply ASAP.
>> > > >>>
>> > > >>> Thanks in adv
>> > > >>>
>> > > >>> regards
>> > > >>> Muhammad Fahad Khan
>> > > >>> JNCIP - M/T # 834
>> > > >>> IT Specialist
>> > > >>> Global Technology Services, IBM
>> > > >>> fahad at pk.ibm.com<mailto:fahad at pk.ibm.com>
>> > > >>>
>> > > >>> +92-301-8247638
>> > > >>> Skype: fahad-ibm
>> > > >>> http://pk.linkedin.com/in/muhammadfahadkhan
>> > > >>>
>> > _______________________________________________
>> > > >>> juniper-nsp mailing list <mailto:juniper-nsp at puck.nether.net>
>> > > >>> juniper-nsp at puck.nether.net<mailto:juniper-nsp at puck.nether.net>
>> > > >>>
>> > > >>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>> > > >>>
>> > > >>>
>> > > >>>
>> > _______________________________________________
>> > > >>> juniper-nsp mailing list <mailto:juniper-nsp at puck.nether.net>
>> > > >>> juniper-nsp at puck.nether.net<mailto:juniper-nsp at puck.nether.net>
>> > > >>>
>> > > >>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>> > > >>>
>> > _______________________________________________
>> > > >>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> > > >>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>> > > >>>
>> > > >>
>> > > >>
>> > > >>
>> > > >> --
>> > > >> Best Regards!
>> > > >>
>> > > >> Ivan Ivanov
>> > > >>
>> > > > _______________________________________________
>> > > > juniper-nsp mailing list juniper-nsp at puck.nether.net
>> > > > https://puck.nether.net/mailman/listinfo/juniper-nsp
>> > > >
>> > >
>> > _______________________________________________
>> > juniper-nsp mailing list juniper-nsp at puck.nether.net
>> > https://puck.nether.net/mailman/listinfo/juniper-nsp
>> >
>>
>
>

More information about the juniper-nsp mailing list