[j-nsp] SRX 3600 dropped packets - how to debug?

Wood, Peter (ISS) p.wood at lancaster.ac.uk
Fri May 24 06:33:09 EDT 2013


Hey Phil,

A friendly hello from Lancaster Uni, also using SRX 3600's.

Can you reproduce the loss? Or alternatively know source/destination ranges of likely connections? A user it's more likely to affect or can demonstrate it reliably?

As pretty much unless this is a policy that's doing it (if you have "then deny", then get a "then count" on all those rules too, but it sounds like packet loss rather than session creation rejection/failure/timeout), you're gonna be stuck doing a datapath debug.

http://www.juniper.net/techpubs/software/junos-security/junos-security10.2/junos-security-swconfig-security/topic-41983.html

If you're shifting anywhere like the amount of traffic we are you aren't going to want to set up a filter for 0/0 to 0/0. Something I've had to explain to JTAC on numerous occasions (something along the lines of "You want me to enable full flow debugging on three SPC's collectively pushing 8Gbps!?!").

Also you using anything like AppTrack and AppFW/AppQos/AppDos?

I've unfortunately had a fair amount of experience with datapath debugs, so feel free to give me a shout off list.

Cheers,

Peter.
-- 
Peter Wood
Network Security Specialist
Information Systems Services
Lancaster University

Email: p.wood at lancaster.ac.uk



More information about the juniper-nsp mailing list