[j-nsp] SRX Deployment Questions
Michael Gehrmann
mgehrmann at atlassian.com
Tue Aug 23 02:15:39 EDT 2016
Might want to set your tcp-mss. I have always done this for bets success.
https://kb.juniper.net/InfoCenter/index?page=content&id=KB30687&actp=RSS
Regards
Mike
On 23 August 2016 at 05:42, Jeffrey Nikoletich <jeffn at xfernet.com> wrote:
> All,
>
>
>
> I actually got this figured out. Was due to a bad card. So we are fully
> deployed now. The only issue we seem to be having is very slow file
> transfer speeds from anything behind the SRX.
>
>
>
> Before cutting over from an ASA 5550 we were getting speeds uploading to S3
> around 4-8mbps. Now we are getting 150-250kbps. Any ideas? I have checked
> the MTU and also did a MTU ping test all the way up the chain and it all
> looks good. Servers that are outside the firewall have no issues.
>
>
>
> Here is my sanitized config. Any help is appreciated:
>
>
>
> jeff> show configuration
>
> version 12.3X48-D30.7;
>
> system {
>
> internet-options {
>
> path-mtu-discovery;
>
> chassis {
>
> aggregated-devices {
>
> ethernet {
>
> device-count 2;
>
> }
>
> }
>
> }
>
> security {
>
> alg {
>
> dns disable;
>
> ftp disable;
>
> mgcp disable;
>
> msrpc disable;
>
> sunrpc disable;
>
> sccp disable;
>
> talk disable;
>
> tftp disable;
>
> pptp disable;
>
> }
>
> flow {
>
> tcp-session {
>
> no-sequence-check;
>
> }
>
> }
>
> nat {
>
> source {
>
> pool SourceNAT-pool {
>
> description "SourceNAT pool";
>
> address {
>
> 69.X.X.2/32 to 69.X.X.3/32;
>
> 69.X.X.60/32 to 69.X.X.62/32;
>
> }
>
> }
>
> rule-set interface-nat {
>
> from zone LAN;
>
> to zone WAN;
>
> rule rule1 {
>
> match {
>
> source-address 0.0.0.0/0;
>
> destination-address 0.0.0.0/0;
>
> }
>
> then {
>
> source-nat {
>
> pool {
>
> SourceNAT-pool;
>
> }
>
> }
>
> }
>
> }
>
> }
>
> }
>
> policies {
>
> from-zone LAN to-zone WAN {
>
> policy permit-all {
>
> match {
>
> source-address any;
>
> destination-address any;
>
> application any;
>
> source-identity any;
>
> }
>
> then {
>
> permit;
>
> }
>
> }
>
> }
>
> from-zone WAN to-zone LAN {
>
> policy allow-xfernet {
>
> match {
>
> source-address XFERNET;
>
> destination-address any;
>
> application any;
>
> }
>
> then {
>
> permit;
>
> }
>
> }
>
> policy allow_web {
>
> match {
>
> source-address any;
>
> destination-address VIP_Servers_Internal;
>
> application [ junos-http junos-https http-8080 ];
>
> }
>
> then {
>
> permit;
>
> }
>
> }
>
> policy permit_icmp_in {
>
> match {
>
> source-address any;
>
> destination-address any;
>
> application junos-icmp-all;
>
> }
>
> then {
>
> permit;
>
> }
>
> }
>
> }
>
> from-zone LAN to-zone LAN {
>
> policy LAN-to-LAN {
>
> match {
>
> source-address any;
>
> destination-address any;
>
> application any;
>
> }
>
> then {
>
> permit;
>
> }
>
> }
>
> }
>
> from-zone WAN to-zone junos-host {
>
> policy Allow-Management {
>
> match {
>
> source-address XFERNET;
>
> destination-address LOCALHOST;
>
> application [ junos-ssh junos-http junos-https
> junos-icmp-all ];
>
> }
>
> then {
>
> permit;
>
> log {
>
> session-close;
>
> }
>
> }
>
> }
>
> policy Deny-All-Else {
>
> match {
>
> source-address any;
>
> destination-address any;
>
> application any;
>
> }
>
> then {
>
> deny;
>
> log {
>
> session-init;
>
> }
>
> }
>
> }
>
> }
>
> }
>
> zones {
>
> security-zone LAN {
>
> host-inbound-traffic {
>
> system-services {
>
> all;
>
> }
>
> protocols {
>
> all;
>
> }
>
> }
>
> interfaces {
>
> ae1.0 {
>
> host-inbound-traffic {
>
> system-services {
>
> all;
>
> }
>
> protocols {
>
> all;
>
> }
>
> }
>
> }
>
> }
>
> }
>
> security-zone WAN {
>
> host-inbound-traffic {
>
> system-services {
>
> ping;
>
> traceroute;
>
> ssh;
>
> http;
>
> https;
>
> ike;
>
> snmp;
>
> }
>
> }
>
> interfaces {
>
> ae0.0;
>
> }
>
> }
>
> }
>
> }
>
> interfaces {
>
> xe-1/0/0 {
>
> description WAN-ExternalSW-0303;
>
> gigether-options {
>
> 802.3ad ae0;
>
> }
>
> }
>
> xe-2/0/0 {
>
> description LAN-301-Te0/49;
>
> gigether-options {
>
> 802.3ad ae1;
>
> }
>
> }
>
> xe-4/0/1 {
>
> gigether-options {
>
> 802.3ad ae1;
>
> }
>
> }
>
> xe-5/0/0 {
>
> description WAN-ExternalSW-0302;
>
> gigether-options {
>
> 802.3ad ae0;
>
> }
>
> }
>
> ae0 {
>
> description WAN;
>
> aggregated-ether-options {
>
> link-speed 10g;
>
> }
>
> unit 0 {
>
> family inet {
>
> address 69.X.X.2/26;
>
> }
>
> }
>
> }
>
> ae1 {
>
> aggregated-ether-options {
>
> link-speed 10g;
>
> }
>
> unit 0 {
>
> family inet {
>
> address 10.X.X.1/16;
>
> jeffn>
>
>
> Regards,
>
> Jeffrey Nikoletich - Chief Information Officer | 213-201-6080
>
> Xfernet
> | 1-855-XFERNETPh 213-201-6080 | http://www.xfernet.net
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
--
Michael Gehrmann
Senior Network Engineer - Atlassian
m: +61 407 570 658
More information about the juniper-nsp
mailing list