[j-nsp] SRX 3600 dropped packets - how to debug?
ashish verma
ashish.scit at gmail.com
Tue May 28 05:40:44 EDT 2013
See if this article helps you (juniper login required)
http://kb.juniper.net/InfoCenter/index?page=content&id=KB16509&smlogin=true
On Tue, May 28, 2013 at 2:41 AM, Phil Mayers <p.mayers at imperial.ac.uk>wrote:
> On 05/27/2013 03:45 PM, OBrien, Will wrote:
>
> Are you using any alg?
>>
>
> Ah ha... thanks for the nudge. The ALG settings are SRX-defaults:
>
> admin at srx-eval> show security alg status
> ALG Status :
> DNS : Enabled
> FTP : Enabled
> H323 : Disabled
> MGCP : Disabled
> MSRPC : Enabled
> PPTP : Enabled
> RSH : Enabled
> RTSP : Disabled
> SCCP : Disabled
> SIP : Disabled
> SQL : Enabled
> SUNRPC : Enabled
> TALK : Enabled
> TFTP : Enabled
> IKE-ESP : Disabled
>
> Disabling the DNS ALG significantly reduces the rate of counter
> increments. Presumably the other traffic is other, less-used ALGs.
>
> So, the ALG(s) are suspect.
>
> That said, I can't believe the firewall was *actually* dropping 1500pps of
> DNS traffic; we'd have widespread problems reported, surely. So, it seems
> that maybe ALG-processed traffic is being counted under "packets dropped"
> for "show security flow statistics"?
>
> A brief test from a linux box behind the firewall shows it can do
> glibc-style getaddrinfo() calls (A and AAAA lookup from same UDP socket
> back-to-back) and both requests and replies are forwarded with the ALG
> enabled, so I'm disinclined to believe it's *actually* dropping.
>
> Does it seem reasonable that the counter is in error?
>
> ______________________________**_________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/**mailman/listinfo/juniper-nsp<https://puck.nether.net/mailman/listinfo/juniper-nsp>
>
More information about the juniper-nsp
mailing list