[j-nsp] SRX 3600 dropped packets - how to debug?

Phil Mayers p.mayers at imperial.ac.uk
Mon May 27 12:41:43 EDT 2013

On 05/27/2013 03:45 PM, OBrien, Will wrote:

> Are you using any alg?

Ah ha... thanks for the nudge. The ALG settings are SRX-defaults:

admin at srx-eval> show security alg status
ALG Status :
   DNS      : Enabled
   FTP      : Enabled
   H323     : Disabled
   MGCP     : Disabled
   MSRPC    : Enabled
   PPTP     : Enabled
   RSH      : Enabled
   RTSP     : Disabled
   SCCP     : Disabled
   SIP      : Disabled
   SQL      : Enabled
   SUNRPC   : Enabled
   TALK     : Enabled
   TFTP     : Enabled
   IKE-ESP  : Disabled

Disabling the DNS ALG significantly reduces the rate of counter 
increments. Presumably the other traffic is other, less-used ALGs.

So, the ALG(s) are suspect.

That said, I can't believe the firewall was *actually* dropping 1500pps 
of DNS traffic; we'd have widespread problems reported, surely. So, it 
seems that maybe ALG-processed traffic is being counted under "packets 
dropped" for "show security flow statistics"?

A brief test from a linux box behind the firewall shows it can do 
glibc-style getaddrinfo() calls (A and AAAA lookup from same UDP socket 
back-to-back) and both requests and replies are forwarded with the ALG 
enabled, so I'm disinclined to believe it's *actually* dropping.

Does it seem reasonable that the counter is in error?

More information about the juniper-nsp mailing list