[j-nsp] SRX 3600 dropped packets - how to debug?

Phil Mayers p.mayers at imperial.ac.uk
Wed May 22 13:01:10 EDT 2013 

We've got an SRX 3600 in for testing. It's a simple config - two 
interfaces, one in untrust and another in trust, and two permit-all 
policies. No app-firewall, screens or other oddness.

The device is logging a *lot* of dropped packets:

   Flow Statistics Summary:
     System total valid sessions: 111399
     Packets forwarded: 195797361
     Packets dropped: 6129373
     Fragment packets: 807440

...couple of seconds, and:

   Flow Statistics Summary:
     System total valid sessions: 112330
     Packets forwarded: 196037822
     Packets dropped: 6136348
     Fragment packets: 808420

i.e. about 500pps reported dropped. We are getting reports that this is 
affecting user connectivity on things like chat, gaming and audio/video.

Load is not high, as I understand the capabilities of this platform:

admin at srx-eval> show security monitoring fpc 7
FPC 7
   PIC 0
     CPU utilization          :    9 %
     Memory utilization       :   61 %
     Current flow session     : 24565
     Current flow session IPv4: 23506
     Current flow session IPv6: 1059
     Max flow session         : 409600
     Current CP session       : 129202
     Current CP session   IPv4: 123997
     Current CP session   IPv6: 5205
     Max CP session           : 2359296
Total Session Creation Per Second (for last 96 seconds on average): 1841
IPv4  Session Creation Per Second (for last 96 seconds on average): 1794
IPv6  Session Creation Per Second (for last 96 seconds on average):   47

admin at srx-eval> show security monitoring fpc 9
FPC 9
   PIC 0
     CPU utilization          :   15 %
     Memory utilization       :   57 %
     Current flow session     : 47410
     Current flow session IPv4: 45348
     Current flow session IPv6: 2062
     Max flow session         : 819200
     Current CP session       :    0
     Current CP session   IPv4:    0
     Current CP session   IPv6:    0
     Max CP session           :    0
Total Session Creation Per Second (for last 96 seconds on average): 1841
IPv4  Session Creation Per Second (for last 96 seconds on average): 1795
IPv6  Session Creation Per Second (for last 96 seconds on average):   46

admin at srx-eval> show security monitoring fpc 11
FPC 11
   PIC 0
     CPU utilization          :   14 %
     Memory utilization       :   57 %
     Current flow session     : 48149
     Current flow session IPv4: 46097
     Current flow session IPv6: 2052
     Max flow session         : 819200
     Current CP session       :    0
     Current CP session   IPv4:    0
     Current CP session   IPv6:    0
     Max CP session           :    0
Total Session Creation Per Second (for last 96 seconds on average): 1844
IPv4  Session Creation Per Second (for last 96 seconds on average): 1797
IPv6  Session Creation Per Second (for last 96 seconds on average):   46


How can I determine what the dropped packets are, and why they're being 
dropped?

More information about the juniper-nsp mailing list