[j-nsp] SRX 3400 IPSec Performance question/advice needed

The Hawk acidutu at hotmail.com
Fri Feb 24 12:11:42 EST 2023


Hello Community,

I was hoping to get some advice on something.

I'm doing some tests on an old SRX3400 cluster in our lab and I'm noticing that IPSec performance on the SRX3400 is horrible.

As per documentation it talks about 8G - 10G of IPSec performance.

I've done tests with 3des-md5, 3des-sha1, aes128-sha1,aes256-sha256.

It seems that aes128-sha1, aes256-sha256 perform best, but even in those circumstances the performance is minimal (approximately 150Mbps on the download and about 350Mbps on the upload).

I'm doing this test between 2 SRX3400's, I've also done it from a Fortigate 60F to the SRX 3400 and both yield the same results.

At first I thought that the SPU wasn't being engaged and that the RE is trying to handle the IPSec but I checked and it seems that there is traffic through the SPU when IPSec traffic is pushed through.  I've also enabled ipsec acceleration on the flow (without rebooting the chassis) and it made no difference (not sure if reboot is required).

Any suggestions that one can offer me?  I speculate that I'm missing some "optimization" command that should engage the ASIC better.

PS.  I'm running the latest version of the SRX 12.3x48 code.
PS2. I am only running 1x SPU in the chassis and I was thinking of maybe installing additional SPUs to see if it helps.. (but based on documentation, a single SPU should handle about 8Gbps of throughput... while adding a second should increase that further).  TBH, I'm not looking to do more than 1G... but I wanted to see 1G performance at least.

Any help/suggestions are greatly appreciated.
Thank you!
Adrian


More information about the juniper-nsp mailing list