[j-nsp] Debugging mysterious packet loss on J2350 under stress

Jared Mauch jared at puck.nether.net
Sat Dec 29 15:55:01 EST 2012 

Can still be ttl=1 there...

Jared Mauch

On Dec 29, 2012, at 3:49 PM, 叶雨飞 <sunyucong at gmail.com> wrote:

> No, it is just valid syn packets. A lot of them.
> 
> On Dec 29, 2012 12:23 PM, "Jared Mauch" <jared at puck.nether.net> wrote:
>> Was it all ttl expired traffic?
>> 
>> Jared Mauch
>> 
>> On Dec 29, 2012, at 3:18 PM, 叶雨飞 <sunyucong at gmail.com> wrote:
>> 
>> > Hi,
>> >
>> > I was woken up this morning to deal with a DDOS syn-flodd situation, pps ~15k/s.
>> >
>> > Here's monitor interface traffic:
>> >
>> > Interface    Link  Input packets        (pps)     Output packets        (pps)
>> > ge-0/0/0      Up    11772104571      (24744)      11662868938     (161012)
>> > ge-0/0/3      Up     3405764281     (148559)       6036903599      (12097)
>> >
>> > traffic is routed from ge-0/0/3 to ge-0/0/0.   ge-0/0/3 is 100M link,
>> > which is not being used in full, ge-0/0/0 is 1G link:
>> >
>> > Interface    Link     Input bytes        (bps)      Output bytes        (bps)
>> > ge-0/0/0      Up   5190252823607   (65535424)     5285424390651   (94655872)
>> > ge-0/0/3      Up   1710426561796   (52511712)     2822734491891   (30575112)
>> >
>> > However, other packet is being dropped almost 100% on ge-0/0/3 link,
>> > which I am trying to figure out why.  Link is not full, so it is not
>> > dropped by upstream.
>> >
>> > CPU is not full
>> >
>> >> show chassis routing-engine
>> >    CPU utilization:
>> >      User                       1 percent
>> >      Real-time threads         67 percent
>> >      Kernel                     0 percent
>> >      Idle                      32 percent
>> >
>> > Dropped counter is all 0 in
>> >> show interface queue ge-0/0/3
>> >
>> > I don't have any QOS configured, so it's all best-effort traffic.
>> >
>> > What else maybe the reason? I am currently blaming J2350 to dropping
>> > legitimate traffic under stress (due to observation of downstream all
>> > works fine) but I can't find any evidence of it.
>> >
>> > Your help is much appreciated.
>> >
>> > Thanks.
>> > _______________________________________________
>> > juniper-nsp mailing list juniper-nsp at puck.nether.net
>> > https://puck.nether.net/mailman/listinfo/juniper-nsp

More information about the juniper-nsp mailing list