[j-nsp] SRX - CPU utilization exceeds

Benoit Plessis b.plessis at doyousoft.com
Tue Sep 19 03:34:36 EDT 2017


Le 19/09/2017 à 06:26, sameer mughal a écrit :
> Hi,
>
> Thanks!
>
> This is SRX Model: srx220h2 - JUNOS Software Release [12.1X46-D35.1]
> and traffic is IP not IPSEC. Traffic is IP BGP and route map also
> configured.

BGP ? With how many routes ? how many peers ?

> Traffic is pushing around 70 to 80 Mbps.

And in pps ?
Is it regular or do you have peaks around the high cpu alerts ?

> Please advice.
Well ... it depend !

 * Are you ok with the current performances of your setup ?
 * Is there an increase in traffic in the foreseable futur ?
 * Have you got some $$$ to replace the firewall ?

I for one would replace it, mostly because doing BGP on such a small SRX
doesn't seem like a great idea, expect if you have only one peer and
exchange a limited number of routes.


> On Tue, Sep 19, 2017 at 12:20 AM, Hugo Slabbert <hugo at slabnet.com
> <mailto:hugo at slabnet.com>> wrote:
>
>     On Mon 2017-Sep-18 10:07:36 +0200, Benoit Plessis
>     <b.plessis at doyousoft.com <mailto:b.plessis at doyousoft.com>> wrote:
>
>         [..] to external conditions ("attacks" / scan / ..)
>         [..] it kindof look inadequat to your need.
>
>         Do you have some external monitoring in place with a graphing
>         system to
>         look after you firewall ?
>
>
>     This can even just be throughput based, especially for flow
>     services as opposed to just packet-mode forwarding.  I've had
>     instances of this from e.g. pushing >50-60 Mbps of IPSEC on SRX100
>     boxes.
>

Yes that's one of the "external conditions" i had in mind ! :)




More information about the juniper-nsp mailing list