[j-nsp] SRX - CPU utilization exceeds

sameer mughal pcs.sameer1 at gmail.com
Tue Sep 19 03:47:51 EDT 2017


Thanks a lot for the reply.

However, as per the available SRX datasheet they can manage 300Mbps
throughput so why it is showing high CPU in btw 60 to 70 Mbps. This is a
bit confusing.
I have configured two things one is BGP (routes details mentioned below)
and route map (details mentioned below) and nothing else.


Please review my following remarks below;


On Tue, Sep 19, 2017 at 12:34 PM, Benoit Plessis <b.plessis at doyousoft.com>
wrote:

> Le 19/09/2017 à 06:26, sameer mughal a écrit :
>
> Hi,
>
> Thanks!
>
> This is SRX Model: srx220h2 - JUNOS Software Release [12.1X46-D35.1] and
> traffic is IP not IPSEC. Traffic is IP BGP and route map also configured.
>
>
> BGP ? With how many routes ? how many peers ?
>
    inet.0: 33 destinations, 35 routes (33 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
*Route MAP:*
RM-SO.inet.0: 7 destinations, 7 routes (7 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

Only one peer configured.

> Traffic is pushing around 70 to 80 Mbps.
>
>
> And in pps ?
> Is it regular or do you have peaks around the high cpu alerts ?
>
> Please advice.
>
> Well ... it depend !
>
>  * Are you ok with the current performances of your setup ?
>  * Is there an increase in traffic in the foreseable futur ?
>  * Have you got some $$$ to replace the firewall ?
>
> I for one would replace it, mostly because doing BGP on such a small SRX
> doesn't seem like a great idea, expect if you have only one peer and
> exchange a limited number of routes.
>
>
> On Tue, Sep 19, 2017 at 12:20 AM, Hugo Slabbert <hugo at slabnet.com> wrote:
>
>> On Mon 2017-Sep-18 10:07:36 +0200, Benoit Plessis <
>> b.plessis at doyousoft.com> wrote:
>>
>> [..] to external conditions ("attacks" / scan / ..)
>>> [..] it kindof look inadequat to your need.
>>>
>>> Do you have some external monitoring in place with a graphing system to
>>> look after you firewall ?
>>>
>>
>> This can even just be throughput based, especially for flow services as
>> opposed to just packet-mode forwarding.  I've had instances of this from
>> e.g. pushing >50-60 Mbps of IPSEC on SRX100 boxes.
>>
>
> Yes that's one of the "external conditions" i had in mind ! :)
>
>
>


More information about the juniper-nsp mailing list