[j-nsp] SRX 3600 dropped packets - how to debug?

Phil Mayers p.mayers at imperial.ac.uk
Mon May 27 06:04:34 EDT 2013 

On 27/05/2013 10:44, Phil Mayers wrote:
> On 05/27/2013 10:41 AM, Pavel Lunin wrote:
>>
>>
>> 22.05.2013 21:01, Phil Mayers wrote:
>>> How can I determine what the dropped packets are, and why they're
>>> being dropped?
>>
>> "show interfaces extensive" and check out "Flow error statistics
>> (Packets dropped due to):"
>
> Nothing in there corresponding to the numbers/rates I'm seeing on the
> "show security flow statistics"
>
>> Another place to look at: "show security screen statistics zone/iface."
>
> As I believe I said, the screens are all disabled.
>

By way of elaboration:

admin at srx-eval> show security flow statistics | match dropped | refresh 2
---(refreshed at 2013-05-27 11:01:03 BST)---
     Packets dropped: 72232499
     Packets dropped: 142788174
     Packets dropped: 145382728
     Packets dropped: 360403401
---(refreshed at 2013-05-27 11:01:05 BST)---
     Packets dropped: 72232835
     Packets dropped: 142788815
     Packets dropped: 145385883
     Packets dropped: 360407533
---(*more 100%)---[abort]

Note the "total" packets dropped (4th item) claims to be climbing at 
~1500pps, on the above sample. At the same time "sh int extensive" for 
the relevant interfaces says:

     Flow Input statistics :
       Self packets :                     50680
       ICMP packets :                     2950329
       VPN packets :                      0
       Multicast packets :                1228
       Bytes permitted by policy :        13201459013373
       Connections established :          8925850
     Flow Output statistics:
       Multicast packets :                0
       Bytes permitted by policy :        3161441830843
     Flow error statistics (Packets dropped due to):
       Address spoofing:                  0
       Authentication failed:             0
       Incoming NAT errors:               0
       Invalid zone received packet:      0
       Multiple user authentications:     0
       Multiple incoming NAT:             0
       No parent for a gate:              0
       No one interested in self packets: 0
       No minor session:                  0
       No more sessions:                  0
       No NAT gate:                       0
       No route present:                  18570
       No SA for incoming SPI:            0
       No tunnel found:                   0
       No session for a gate:             0
       No zone or NULL zone binding       0
       Policy denied:                     0
       Security association not active:   0
       TCP sequence number out of window: 0
       Syn-attack protection:             0
       User authentication errors:        0

...over the *entire* lifetime of the box. So, pretty clearly not enough 
for 1500pps of denies.

As for the screens:

admin at srx-eval> show security screen statistics zone trust
error: "screen object not found for this zone/interface"

admin at srx-eval> show security screen statistics zone untrust
error: "screen object not found for this zone/interface"

More information about the juniper-nsp mailing list