[j-nsp] What is an acceptable amount of latency for traffic routed through an SRX cluster?

[Phil Mayers]

On 01/09/2012 11:23 PM, Morgan McLean wrote:
> Its an SRX3600 cluster, with no traffic traversing the fabric connection,
> so its all being contained on one chassis. These are just standard ICMP
> packets between two linux hosts on different subnets.

I assume you are using these as a firewall, not just as a "convenient" 
JunOS router?

What is the security topology? How many policies and of what type do you 
have? What's the background load in terms of bits/sec, packets/sec, 
session ramp rate, etc.? What are the interface speeds?

This is a complex question to answer in general. To give some 
comparative data, we have Netscreen 5400s with M2 10G cards, hundreds of 
policies, tens of thousands of address book entries, full BGP routing 
with ~1000 routing entries, and session counts of ~20k sessions, ramp 
rate ~15k/minute.

Through these firewalls, we incur an extra ~200usec on a ping round trip 
time.

So yes, I would say that going from 0.1msec (100usec) to 0.5msec 
(500usec) is about the right order for a fast gig/ten gig firewall with 
moderately complex config and load. Obviously the SRX 3600 and NS 5400 
are different beasts.

Frankly, if your demands are such that you can't tolerate 400usec of 
incurred latency, you possibly shouldn't be running it though a security 
device. What kind of "caching application" is this?

Are you sure the latency you're measuring with a ping is the same 
latency your application is incurring? Are you sure an ALG isn't 
activating for your traffic - perhaps try creating a policy to match the 
traffic and explicitly disable the "application" / ALG.

Cheers,
Phil