[j-nsp] Traffic drops on IPSEC - SRX3600

Fahad Khan fahad.khan at gmail.com
Wed Aug 4 08:44:38 EDT 2010


Guys,
The issues was related with Anti-replay errors that was causing stop
decrypting packet.

When we disable Anti-replay service, The VPN starts passing traffic with out
any issues.

Thanks to all of you

regards,

Muhammad Fahad Khan
JNCIP - M/T # 834
IT Specialist
Global Technology Services, IBM
fahad at pk.ibm.com
+92-301-8247638
Skype: fahad-ibm
http://pk.linkedin.com/in/muhammadfahadkhan


On Tue, Aug 3, 2010 at 9:51 PM, Fahad Khan <fahad.khan at gmail.com> wrote:

> Mind it, this is SRX3600 in Chassis Cluster environment.
>
>
> regards,
>
> Muhammad Fahad Khan
> JNCIP - M/T # 834
> IT Specialist
> Global Technology Services, IBM
> fahad at pk.ibm.com
> +92-301-8247638
> Skype: fahad-ibm
> http://pk.linkedin.com/in/muhammadfahadkhan
>
>
> On Tue, Aug 3, 2010 at 9:50 PM, Fahad Khan <fahad.khan at gmail.com> wrote:
>
>> The strange issue is that, the drop is not related with the amount of
>> traffic, it relates with the number of user (hence with the number of
>> sessions perhaps) , since there was no drop when 4 or 5 users choke the link
>> upto 90 MB, but when there comes 100 to 150 users in the building with even
>> 10 or 20 MB of traffic, the traffic starts droping, still out of mind from
>> Adv JTAC. we are still on Junos 10.0R3.10 as there is no any recommendations
>> from JTAC to upgrade the Junos yet.
>>
>> Can any body provide the solution??
>>
>> Thanks and regards,
>>
>>
>> Muhammad Fahad Khan
>> JNCIP - M/T # 834
>> IT Specialist
>> Global Technology Services, IBM
>> fahad at pk.ibm.com
>> +92-301-8247638
>> Skype: fahad-ibm
>> http://pk.linkedin.com/in/muhammadfahadkhan
>>
>>
>> 2010/8/3 Quoc Hoang <quochoang at yahoo.com>
>>
>> Not sure what encryption algorithm is being used but we have noticed AES
>>> and perhaps others as well on JunOS that it requires more overhead.
>>>
>>> Check your ipsec mss. JTAC has recommended mss 1350 (previously we had it
>>> 1400 which was our default on the netscreens). It resolved one of our
>>> performance issues.
>>>
>>> Hope that helps.
>>>
>>> quoc
>>>
>>> --- On Tue, 8/3/10, Fahad Khan <fahad.khan at gmail.com> wrote:
>>>
>>> > From: Fahad Khan <fahad.khan at gmail.com>
>>> > Subject: Re: [j-nsp] Traffic drops on IPSEC - SRX3600
>>> > To: "Jérôme Fleury" <jerome at fleury.net>
>>> > Cc: "juniper-nsp at puck.nether.net" <juniper-nsp at puck.nether.net>
>>> > Date: Tuesday, August 3, 2010, 6:36 AM
>>> > Hi Jerome,
>>> >
>>> > When are u gonna try that?
>>> >
>>> > Has any body got the solution???
>>> >
>>> > regards,
>>> > Muhammad Fahad Khan
>>> > JNCIP - M/T # 834
>>> > IT Specialist
>>> > Global Technology Services, IBM
>>> > fahad at pk.ibm.com
>>> > +92-301-8247638
>>> > Skype: fahad-ibm
>>> > http://pk.linkedin.com/in/muhammadfahadkhan
>>> >
>>> >
>>> > On Tue, Aug 3, 2010 at 3:18 PM, Jérôme Fleury <jerome at fleury.net>
>>> > wrote:
>>> >
>>> > > Hi there,
>>> > >
>>> > > I think I'm experiencing the same issue here:
>>> > >
>>> > > SRX 3600 in cluster mode, running 10.1R2.8
>>> > > 1 SPC / 1 NPC per chassis
>>> > > VPN in policy based mode with a remote CheckPoint
>>> > >
>>> > > I can clearly see packet loss in the way SRX ->
>>> > Checkpoint, resulting
>>> > > in very poor performances in the tunnel
>>> > >
>>> > > We'll try to upgrade to 10.1R3.7 to see if it fixes
>>> > the issue.
>>> > >
>>> > > On Tue, Aug 3, 2010 at 09:38, Fahad Khan <fahad.khan at gmail.com>
>>> > wrote:
>>> > > > Very scary!!!
>>> > > >
>>> > > > regards,
>>> > > >
>>> > > > Muhammad Fahad Khan
>>> > > > JNCIP - M/T # 834
>>> > > > IT Specialist
>>> > > > Global Technology Services, IBM
>>> > > > fahad at pk.ibm.com
>>> > > > +92-301-8247638
>>> > > > Skype: fahad-ibm
>>> > > > http://pk.linkedin.com/in/muhammadfahadkhan
>>> > > >
>>> > > >
>>> > > > On Tue, Aug 3, 2010 at 9:35 AM, Ivan Ivanov
>>> > <ivanov.ivan at gmail.com>
>>> > > wrote:
>>> > > >
>>> > > >> Hm, this sounds more than scary!
>>> > > >>
>>> > > >> Soon I will now if there is the same problem
>>> > with 10.0R3.10 on 3600
>>> > > >> cluster.
>>> > > >>
>>> > > >> So now I have good experience with
>>> > router-based VPNs starting from
>>> > > >> routing-instance. Policy-based are working
>>> > also, but I found
>>> > > router-based
>>> > > >> more scalable. But no with real traffic
>>> > tested, until end of the week I
>>> > > will
>>> > > >> let you know.
>>> > > >>
>>> > > >> Ivan,
>>> > > >>
>>> > > >> On Mon, Aug 2, 2010 at 23:58, Amos Rosenboim
>>> > <amos at oasis-tech.net>
>>> > > wrote:
>>> > > >>
>>> > > >>> As far as I know the code you are running
>>> > is the recommended version by
>>> > > >>> Juniper.
>>> > > >>> However it's important to mention that I
>>> > have no experience with the
>>> > > high
>>> > > >>> end SRX boxes.
>>> > > >>> The stuff mentioned below by quoc sounds
>>> > a little scary to me.
>>> > > >>>
>>> > > >>> Amos
>>> > > >>>
>>> > > >>> Sent from my iPhone
>>> > > >>>
>>> > > >>> On 2 Aug 2010, at 23:44, "Fahad Khan"
>>> > <fahad.khan at gmail.com<mailto:
>>> > > >>> fahad.khan at gmail.com>>
>>> > wrote:
>>> > > >>>
>>> > > >>> I have 3 SPCs and 3 NPCs and running
>>> > Junos 10.0R3.10, should I need to
>>> > > >>> upgrade junos?
>>> > > >>>
>>> > > >>> regards,
>>> > > >>>
>>> > > >>>
>>> > > >>> Muhammad Fahad Khan
>>> > > >>> JNCIP - M/T # 834
>>> > > >>> IT Specialist
>>> > > >>> Global Technology Services, IBM
>>> > > >>> fahad at pk.ibm.com<mailto:fahad at pk.ibm.com>
>>> > > >>>
>>> > > >>> +92-301-8247638
>>> > > >>> Skype: fahad-ibm
>>> > > >>> http://pk.linkedin.com/in/muhammadfahadkhan
>>> > > >>>
>>> > > >>>
>>> > > >>> On Tue, Aug 3, 2010 at 12:02 AM, Quoc
>>> > Hoang <quochoang at yahoo.com
>>> > > <mailto:
>>> > > >>> quochoang at yahoo.com>>
>>> > wrote:
>>> > > >>>
>>> > > >>> I've deployed IPSEC VPNs between a pair
>>> > of SRX3600 and NS5400 without
>>> > > >>> issue. SRX was running Junos 9.5r3.
>>> > Performance wasn't great then.
>>> > > >>>
>>> > > >>> We recently ran into another vpn
>>> > performance issue on more recent code,
>>> > > >>> 10.0r2. Avoid running ipsec vpns on the
>>> > high end SRX till Juniper
>>> > > resolves
>>> > > >>> the issue unless you are planning to run
>>> > with a single SPC. The fix
>>> > > will
>>> > > >>> require an architectural change.
>>> > > >>>
>>> > > >>> Problem description:
>>> > > >>> Low throughput is experienced on the
>>> > Juniper high-end SRX line with
>>> > > >>> systems
>>> > > >>> that have multiple SPC’s. The issue
>>> > occurs when a tunnel anchor SPU and
>>> > > >>> the
>>> > > >>> clear text session SPU are different. The
>>> > problem exists because hash
>>> > > and
>>> > > >>> SEQ bit values in the switch header are
>>> > not accounted for properly when
>>> > > >>> forwarding the packet to alternative
>>> > SPU’s.
>>> > > >>>
>>> > > >>>
>>> > > >>> Quoc
>>> > > >>>
>>> > > >>> --- On Mon, 8/2/10, Fahad Khan <fahad.khan at gmail.com<mailto:
>>> > > >>> fahad.khan at gmail.com>>
>>> > wrote:
>>> > > >>>
>>> > > >>> From: Fahad Khan <fahad.khan at gmail.com<mailto:
>>> fahad.khan at gmail.com>>
>>> > > >>>
>>> > > >>> Subject: [j-nsp] Traffic drops on IPSEC -
>>> > SRX3600
>>> > > >>> To: <mailto:juniper-nsp at puck.nether.net>
>>> > juniper-nsp at puck.nether.net
>>> > > >>> <mailto:juniper-nsp at puck.nether.net>
>>> > > >>>
>>> > > >>> Date: Monday, August 2, 2010, 4:48 AM
>>> > > >>> Hi folks,
>>> > > >>>
>>> > > >>> I am seeing very strange issue on SRX3600
>>> > when the traffic
>>> > > >>> is flown through
>>> > > >>> an IPSEC VPN tunnel (established with
>>> > ISG2000), the tunnel
>>> > > >>> gets up and the
>>> > > >>> traffic flows properly, but suddenly
>>> > traffic drops, while
>>> > > >>> the tunnel remains
>>> > > >>> up.
>>> > > >>>
>>> > > >>> And it continues to flow after 15 to 20
>>> > time out but again
>>> > > >>> it starts
>>> > > >>> droping. I am sure that there is no issue
>>> > at physical
>>> > > >>> layer.
>>> > > >>>
>>> > > >>> Has any body faced it yet??
>>> > > >>>
>>> > > >>> Please reply ASAP.
>>> > > >>>
>>> > > >>> Thanks in adv
>>> > > >>>
>>> > > >>> regards
>>> > > >>> Muhammad Fahad Khan
>>> > > >>> JNCIP - M/T # 834
>>> > > >>> IT Specialist
>>> > > >>> Global Technology Services, IBM
>>> > > >>> fahad at pk.ibm.com<mailto:fahad at pk.ibm.com>
>>> > > >>>
>>> > > >>> +92-301-8247638
>>> > > >>> Skype: fahad-ibm
>>> > > >>> http://pk.linkedin.com/in/muhammadfahadkhan
>>> > > >>>
>>> > _______________________________________________
>>> > > >>> juniper-nsp mailing list <mailto:juniper-nsp at puck.nether.net>
>>> > > >>> juniper-nsp at puck.nether.net<mailto:juniper-nsp at puck.nether.net>
>>> > > >>>
>>> > > >>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>> > > >>>
>>> > > >>>
>>> > > >>>
>>> > _______________________________________________
>>> > > >>> juniper-nsp mailing list <mailto:juniper-nsp at puck.nether.net>
>>> > > >>> juniper-nsp at puck.nether.net<mailto:juniper-nsp at puck.nether.net>
>>> > > >>>
>>> > > >>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>> > > >>>
>>> > _______________________________________________
>>> > > >>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>>> > > >>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>> > > >>>
>>> > > >>
>>> > > >>
>>> > > >>
>>> > > >> --
>>> > > >> Best Regards!
>>> > > >>
>>> > > >> Ivan Ivanov
>>> > > >>
>>> > > > _______________________________________________
>>> > > > juniper-nsp mailing list juniper-nsp at puck.nether.net
>>> > > > https://puck.nether.net/mailman/listinfo/juniper-nsp
>>> > > >
>>> > >
>>> > _______________________________________________
>>> > juniper-nsp mailing list juniper-nsp at puck.nether.net
>>> > https://puck.nether.net/mailman/listinfo/juniper-nsp
>>> >
>>>
>>
>>
>


More information about the juniper-nsp mailing list