Hi Jerome, When are u gonna try that?
Has any body got the solution??? regards, Muhammad Fahad Khan JNCIP - M/T # 834 IT Specialist Global Technology Services, IBM fa...@pk.ibm.com +92-301-8247638 Skype: fahad-ibm http://pk.linkedin.com/in/muhammadfahadkhan On Tue, Aug 3, 2010 at 3:18 PM, Jérôme Fleury <jer...@fleury.net> wrote: > Hi there, > > I think I'm experiencing the same issue here: > > SRX 3600 in cluster mode, running 10.1R2.8 > 1 SPC / 1 NPC per chassis > VPN in policy based mode with a remote CheckPoint > > I can clearly see packet loss in the way SRX -> Checkpoint, resulting > in very poor performances in the tunnel > > We'll try to upgrade to 10.1R3.7 to see if it fixes the issue. > > On Tue, Aug 3, 2010 at 09:38, Fahad Khan <fahad.k...@gmail.com> wrote: > > Very scary!!! > > > > regards, > > > > Muhammad Fahad Khan > > JNCIP - M/T # 834 > > IT Specialist > > Global Technology Services, IBM > > fa...@pk.ibm.com > > +92-301-8247638 > > Skype: fahad-ibm > > http://pk.linkedin.com/in/muhammadfahadkhan > > > > > > On Tue, Aug 3, 2010 at 9:35 AM, Ivan Ivanov <ivanov.i...@gmail.com> > wrote: > > > >> Hm, this sounds more than scary! > >> > >> Soon I will now if there is the same problem with 10.0R3.10 on 3600 > >> cluster. > >> > >> So now I have good experience with router-based VPNs starting from > >> routing-instance. Policy-based are working also, but I found > router-based > >> more scalable. But no with real traffic tested, until end of the week I > will > >> let you know. > >> > >> Ivan, > >> > >> On Mon, Aug 2, 2010 at 23:58, Amos Rosenboim <a...@oasis-tech.net> > wrote: > >> > >>> As far as I know the code you are running is the recommended version by > >>> Juniper. > >>> However it's important to mention that I have no experience with the > high > >>> end SRX boxes. > >>> The stuff mentioned below by quoc sounds a little scary to me. > >>> > >>> Amos > >>> > >>> Sent from my iPhone > >>> > >>> On 2 Aug 2010, at 23:44, "Fahad Khan" <fahad.k...@gmail.com<mailto: > >>> fahad.k...@gmail.com>> wrote: > >>> > >>> I have 3 SPCs and 3 NPCs and running Junos 10.0R3.10, should I need to > >>> upgrade junos? > >>> > >>> regards, > >>> > >>> > >>> Muhammad Fahad Khan > >>> JNCIP - M/T # 834 > >>> IT Specialist > >>> Global Technology Services, IBM > >>> fa...@pk.ibm.com<mailto:fa...@pk.ibm.com> > >>> > >>> +92-301-8247638 > >>> Skype: fahad-ibm > >>> http://pk.linkedin.com/in/muhammadfahadkhan > >>> > >>> > >>> On Tue, Aug 3, 2010 at 12:02 AM, Quoc Hoang <quocho...@yahoo.com > <mailto: > >>> quocho...@yahoo.com>> wrote: > >>> > >>> I've deployed IPSEC VPNs between a pair of SRX3600 and NS5400 without > >>> issue. SRX was running Junos 9.5r3. Performance wasn't great then. > >>> > >>> We recently ran into another vpn performance issue on more recent code, > >>> 10.0r2. Avoid running ipsec vpns on the high end SRX till Juniper > resolves > >>> the issue unless you are planning to run with a single SPC. The fix > will > >>> require an architectural change. > >>> > >>> Problem description: > >>> Low throughput is experienced on the Juniper high-end SRX line with > >>> systems > >>> that have multiple SPC’s. The issue occurs when a tunnel anchor SPU and > >>> the > >>> clear text session SPU are different. The problem exists because hash > and > >>> SEQ bit values in the switch header are not accounted for properly when > >>> forwarding the packet to alternative SPU’s. > >>> > >>> > >>> Quoc > >>> > >>> --- On Mon, 8/2/10, Fahad Khan <fahad.k...@gmail.com<mailto: > >>> fahad.k...@gmail.com>> wrote: > >>> > >>> From: Fahad Khan <fahad.k...@gmail.com<mailto:fahad.k...@gmail.com>> > >>> > >>> Subject: [j-nsp] Traffic drops on IPSEC - SRX3600 > >>> To: <mailto:juniper-nsp@puck.nether.net> juniper-nsp@puck.nether.net > >>> <mailto:juniper-nsp@puck.nether.net> > >>> > >>> Date: Monday, August 2, 2010, 4:48 AM > >>> Hi folks, > >>> > >>> I am seeing very strange issue on SRX3600 when the traffic > >>> is flown through > >>> an IPSEC VPN tunnel (established with ISG2000), the tunnel > >>> gets up and the > >>> traffic flows properly, but suddenly traffic drops, while > >>> the tunnel remains > >>> up. > >>> > >>> And it continues to flow after 15 to 20 time out but again > >>> it starts > >>> droping. I am sure that there is no issue at physical > >>> layer. > >>> > >>> Has any body faced it yet?? > >>> > >>> Please reply ASAP. > >>> > >>> Thanks in adv > >>> > >>> regards > >>> Muhammad Fahad Khan > >>> JNCIP - M/T # 834 > >>> IT Specialist > >>> Global Technology Services, IBM > >>> fa...@pk.ibm.com<mailto:fa...@pk.ibm.com> > >>> > >>> +92-301-8247638 > >>> Skype: fahad-ibm > >>> http://pk.linkedin.com/in/muhammadfahadkhan > >>> _______________________________________________ > >>> juniper-nsp mailing list <mailto:juniper-nsp@puck.nether.net> > >>> juniper-nsp@puck.nether.net<mailto:juniper-nsp@puck.nether.net> > >>> > >>> https://puck.nether.net/mailman/listinfo/juniper-nsp > >>> > >>> > >>> _______________________________________________ > >>> juniper-nsp mailing list <mailto:juniper-nsp@puck.nether.net> > >>> juniper-nsp@puck.nether.net<mailto:juniper-nsp@puck.nether.net> > >>> > >>> https://puck.nether.net/mailman/listinfo/juniper-nsp > >>> _______________________________________________ > >>> juniper-nsp mailing list juniper-nsp@puck.nether.net > >>> https://puck.nether.net/mailman/listinfo/juniper-nsp > >>> > >> > >> > >> > >> -- > >> Best Regards! > >> > >> Ivan Ivanov > >> > > _______________________________________________ > > juniper-nsp mailing list juniper-nsp@puck.nether.net > > https://puck.nether.net/mailman/listinfo/juniper-nsp > > > _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp