[j-nsp] SRX 3600 dropped packets - how to debug?
p.mayers at imperial.ac.uk
Mon May 27 12:41:43 EDT 2013
On 05/27/2013 03:45 PM, OBrien, Will wrote:
> Are you using any alg?
Ah ha... thanks for the nudge. The ALG settings are SRX-defaults:
admin at srx-eval> show security alg status
ALG Status :
DNS : Enabled
FTP : Enabled
H323 : Disabled
MGCP : Disabled
MSRPC : Enabled
PPTP : Enabled
RSH : Enabled
RTSP : Disabled
SCCP : Disabled
SIP : Disabled
SQL : Enabled
SUNRPC : Enabled
TALK : Enabled
TFTP : Enabled
IKE-ESP : Disabled
Disabling the DNS ALG significantly reduces the rate of counter
increments. Presumably the other traffic is other, less-used ALGs.
So, the ALG(s) are suspect.
That said, I can't believe the firewall was *actually* dropping 1500pps
of DNS traffic; we'd have widespread problems reported, surely. So, it
seems that maybe ALG-processed traffic is being counted under "packets
dropped" for "show security flow statistics"?
A brief test from a linux box behind the firewall shows it can do
glibc-style getaddrinfo() calls (A and AAAA lookup from same UDP socket
back-to-back) and both requests and replies are forwarded with the ALG
enabled, so I'm disinclined to believe it's *actually* dropping.
Does it seem reasonable that the counter is in error?
More information about the juniper-nsp