[j-nsp] SRX Deployment Questions

Michael Gehrmann mgehrmann at atlassian.com
Tue Aug 23 02:15:39 EDT 2016


Might want to set your tcp-mss. I have always done this for bets success.

https://kb.juniper.net/InfoCenter/index?page=content&id=KB30687&actp=RSS

Regards
Mike

On 23 August 2016 at 05:42, Jeffrey Nikoletich <jeffn at xfernet.com> wrote:

> All,
>
>
>
> I actually got this figured out. Was due to a bad card. So we are fully
> deployed now. The only issue we seem to be having is very slow file
> transfer speeds from anything behind the SRX.
>
>
>
> Before cutting over from an ASA 5550 we were getting speeds uploading to S3
> around 4-8mbps. Now we are getting 150-250kbps. Any ideas? I have checked
> the MTU and also did a MTU ping test all the way up the chain and it all
> looks good. Servers that are outside the firewall have no issues.
>
>
>
> Here is my sanitized config. Any help is appreciated:
>
>
>
> jeff> show configuration
>
> version 12.3X48-D30.7;
>
> system {
>
>     internet-options {
>
>         path-mtu-discovery;
>
> chassis {
>
>     aggregated-devices {
>
>         ethernet {
>
>             device-count 2;
>
>         }
>
>     }
>
> }
>
> security {
>
>     alg {
>
>         dns disable;
>
>         ftp disable;
>
>         mgcp disable;
>
>         msrpc disable;
>
>         sunrpc disable;
>
>         sccp disable;
>
>         talk disable;
>
>         tftp disable;
>
>         pptp disable;
>
>     }
>
>     flow {
>
>         tcp-session {
>
>             no-sequence-check;
>
>         }
>
>     }
>
>     nat {
>
>         source {
>
>             pool SourceNAT-pool {
>
>                 description "SourceNAT pool";
>
>                 address {
>
>                     69.X.X.2/32 to 69.X.X.3/32;
>
>                     69.X.X.60/32 to 69.X.X.62/32;
>
>                 }
>
>             }
>
>             rule-set interface-nat {
>
>                 from zone LAN;
>
>                 to zone WAN;
>
>                 rule rule1 {
>
>                     match {
>
>                         source-address 0.0.0.0/0;
>
>                         destination-address 0.0.0.0/0;
>
>                     }
>
>                     then {
>
>                         source-nat {
>
>                             pool {
>
>                                 SourceNAT-pool;
>
>                             }
>
>                         }
>
>                     }
>
>                 }
>
>             }
>
>         }
>
>     policies {
>
>         from-zone LAN to-zone WAN {
>
>             policy permit-all {
>
>                 match {
>
>                     source-address any;
>
>                     destination-address any;
>
>                     application any;
>
>                     source-identity any;
>
>                 }
>
>                 then {
>
>                     permit;
>
>                 }
>
>             }
>
>         }
>
>         from-zone WAN to-zone LAN {
>
>             policy allow-xfernet {
>
>                 match {
>
>                     source-address XFERNET;
>
>                     destination-address any;
>
>                     application any;
>
>                 }
>
>                 then {
>
>                     permit;
>
>                 }
>
>             }
>
>             policy allow_web {
>
>                 match {
>
>                     source-address any;
>
>                     destination-address VIP_Servers_Internal;
>
>                     application [ junos-http junos-https http-8080 ];
>
>                 }
>
>                 then {
>
>                     permit;
>
>                 }
>
>             }
>
>             policy permit_icmp_in {
>
>                 match {
>
>                     source-address any;
>
>                     destination-address any;
>
>                     application junos-icmp-all;
>
>                 }
>
>                 then {
>
>                     permit;
>
>                 }
>
>             }
>
>         }
>
>         from-zone LAN to-zone LAN {
>
>            policy LAN-to-LAN {
>
>                 match {
>
>                     source-address any;
>
>                     destination-address any;
>
>                     application any;
>
>                 }
>
>                 then {
>
>                     permit;
>
>                 }
>
>             }
>
>         }
>
>         from-zone WAN to-zone junos-host {
>
>             policy Allow-Management {
>
>                 match {
>
>                     source-address XFERNET;
>
>                     destination-address LOCALHOST;
>
>                     application [ junos-ssh junos-http junos-https
> junos-icmp-all ];
>
>                 }
>
>                 then {
>
>                    permit;
>
>                     log {
>
>                         session-close;
>
>                     }
>
>                 }
>
>             }
>
>             policy Deny-All-Else {
>
>                 match {
>
>                     source-address any;
>
>                     destination-address any;
>
>                     application any;
>
>                 }
>
>                 then {
>
>                     deny;
>
>                     log {
>
>                         session-init;
>
>                     }
>
>                 }
>
>             }
>
>         }
>
>     }
>
>     zones {
>
>         security-zone LAN {
>
>             host-inbound-traffic {
>
>                 system-services {
>
>                     all;
>
>                 }
>
>                 protocols {
>
>                     all;
>
>                 }
>
>             }
>
>             interfaces {
>
>                 ae1.0 {
>
>                     host-inbound-traffic {
>
>                         system-services {
>
>                             all;
>
>                         }
>
>                         protocols {
>
>                             all;
>
>                         }
>
>                     }
>
>                 }
>
>             }
>
>         }
>
>         security-zone WAN {
>
>             host-inbound-traffic {
>
>                 system-services {
>
>                     ping;
>
>                     traceroute;
>
>                     ssh;
>
>                     http;
>
>                     https;
>
>                     ike;
>
>                     snmp;
>
>                 }
>
>             }
>
>             interfaces {
>
>                 ae0.0;
>
>             }
>
>         }
>
>     }
>
> }
>
> interfaces {
>
>     xe-1/0/0 {
>
>         description WAN-ExternalSW-0303;
>
>         gigether-options {
>
>             802.3ad ae0;
>
>         }
>
>     }
>
>     xe-2/0/0 {
>
>         description LAN-301-Te0/49;
>
>         gigether-options {
>
>             802.3ad ae1;
>
>         }
>
>     }
>
>     xe-4/0/1 {
>
>         gigether-options {
>
>             802.3ad ae1;
>
>         }
>
>     }
>
>     xe-5/0/0 {
>
>         description WAN-ExternalSW-0302;
>
>         gigether-options {
>
>             802.3ad ae0;
>
>         }
>
>     }
>
>     ae0 {
>
>         description WAN;
>
>         aggregated-ether-options {
>
>             link-speed 10g;
>
>         }
>
>         unit 0 {
>
>             family inet {
>
>                 address 69.X.X.2/26;
>
>             }
>
>         }
>
>     }
>
>     ae1 {
>
>         aggregated-ether-options {
>
>             link-speed 10g;
>
>         }
>
>         unit 0 {
>
>             family inet {
>
>                 address 10.X.X.1/16;
>
> jeffn>
>
>
>                 Regards,
>
> Jeffrey Nikoletich - Chief Information Officer | 213-201-6080
>
> Xfernet
>  | 1-855-XFERNETPh  213-201-6080 | http://www.xfernet.net
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>



-- 
Michael Gehrmann
Senior Network Engineer - Atlassian
m: +61 407 570 658


More information about the juniper-nsp mailing list