Mind it, this is SRX3600 in Chassis Cluster environment. regards,
Muhammad Fahad Khan JNCIP - M/T # 834 IT Specialist Global Technology Services, IBM fa...@pk.ibm.com +92-301-8247638 Skype: fahad-ibm http://pk.linkedin.com/in/muhammadfahadkhan On Tue, Aug 3, 2010 at 9:50 PM, Fahad Khan <fahad.k...@gmail.com> wrote: > The strange issue is that, the drop is not related with the amount of > traffic, it relates with the number of user (hence with the number of > sessions perhaps) , since there was no drop when 4 or 5 users choke the link > upto 90 MB, but when there comes 100 to 150 users in the building with even > 10 or 20 MB of traffic, the traffic starts droping, still out of mind from > Adv JTAC. we are still on Junos 10.0R3.10 as there is no any recommendations > from JTAC to upgrade the Junos yet. > > Can any body provide the solution?? > > Thanks and regards, > > > Muhammad Fahad Khan > JNCIP - M/T # 834 > IT Specialist > Global Technology Services, IBM > fa...@pk.ibm.com > +92-301-8247638 > Skype: fahad-ibm > http://pk.linkedin.com/in/muhammadfahadkhan > > > 2010/8/3 Quoc Hoang <quocho...@yahoo.com> > > Not sure what encryption algorithm is being used but we have noticed AES >> and perhaps others as well on JunOS that it requires more overhead. >> >> Check your ipsec mss. JTAC has recommended mss 1350 (previously we had it >> 1400 which was our default on the netscreens). It resolved one of our >> performance issues. >> >> Hope that helps. >> >> quoc >> >> --- On Tue, 8/3/10, Fahad Khan <fahad.k...@gmail.com> wrote: >> >> > From: Fahad Khan <fahad.k...@gmail.com> >> > Subject: Re: [j-nsp] Traffic drops on IPSEC - SRX3600 >> > To: "Jérôme Fleury" <jer...@fleury.net> >> > Cc: "juniper-nsp@puck.nether.net" <juniper-nsp@puck.nether.net> >> > Date: Tuesday, August 3, 2010, 6:36 AM >> > Hi Jerome, >> > >> > When are u gonna try that? >> > >> > Has any body got the solution??? >> > >> > regards, >> > Muhammad Fahad Khan >> > JNCIP - M/T # 834 >> > IT Specialist >> > Global Technology Services, IBM >> > fa...@pk.ibm.com >> > +92-301-8247638 >> > Skype: fahad-ibm >> > http://pk.linkedin.com/in/muhammadfahadkhan >> > >> > >> > On Tue, Aug 3, 2010 at 3:18 PM, Jérôme Fleury <jer...@fleury.net> >> > wrote: >> > >> > > Hi there, >> > > >> > > I think I'm experiencing the same issue here: >> > > >> > > SRX 3600 in cluster mode, running 10.1R2.8 >> > > 1 SPC / 1 NPC per chassis >> > > VPN in policy based mode with a remote CheckPoint >> > > >> > > I can clearly see packet loss in the way SRX -> >> > Checkpoint, resulting >> > > in very poor performances in the tunnel >> > > >> > > We'll try to upgrade to 10.1R3.7 to see if it fixes >> > the issue. >> > > >> > > On Tue, Aug 3, 2010 at 09:38, Fahad Khan <fahad.k...@gmail.com> >> > wrote: >> > > > Very scary!!! >> > > > >> > > > regards, >> > > > >> > > > Muhammad Fahad Khan >> > > > JNCIP - M/T # 834 >> > > > IT Specialist >> > > > Global Technology Services, IBM >> > > > fa...@pk.ibm.com >> > > > +92-301-8247638 >> > > > Skype: fahad-ibm >> > > > http://pk.linkedin.com/in/muhammadfahadkhan >> > > > >> > > > >> > > > On Tue, Aug 3, 2010 at 9:35 AM, Ivan Ivanov >> > <ivanov.i...@gmail.com> >> > > wrote: >> > > > >> > > >> Hm, this sounds more than scary! >> > > >> >> > > >> Soon I will now if there is the same problem >> > with 10.0R3.10 on 3600 >> > > >> cluster. >> > > >> >> > > >> So now I have good experience with >> > router-based VPNs starting from >> > > >> routing-instance. Policy-based are working >> > also, but I found >> > > router-based >> > > >> more scalable. But no with real traffic >> > tested, until end of the week I >> > > will >> > > >> let you know. >> > > >> >> > > >> Ivan, >> > > >> >> > > >> On Mon, Aug 2, 2010 at 23:58, Amos Rosenboim >> > <a...@oasis-tech.net> >> > > wrote: >> > > >> >> > > >>> As far as I know the code you are running >> > is the recommended version by >> > > >>> Juniper. >> > > >>> However it's important to mention that I >> > have no experience with the >> > > high >> > > >>> end SRX boxes. >> > > >>> The stuff mentioned below by quoc sounds >> > a little scary to me. >> > > >>> >> > > >>> Amos >> > > >>> >> > > >>> Sent from my iPhone >> > > >>> >> > > >>> On 2 Aug 2010, at 23:44, "Fahad Khan" >> > <fahad.k...@gmail.com<mailto: >> > > >>> fahad.k...@gmail.com>> >> > wrote: >> > > >>> >> > > >>> I have 3 SPCs and 3 NPCs and running >> > Junos 10.0R3.10, should I need to >> > > >>> upgrade junos? >> > > >>> >> > > >>> regards, >> > > >>> >> > > >>> >> > > >>> Muhammad Fahad Khan >> > > >>> JNCIP - M/T # 834 >> > > >>> IT Specialist >> > > >>> Global Technology Services, IBM >> > > >>> fa...@pk.ibm.com<mailto:fa...@pk.ibm.com> >> > > >>> >> > > >>> +92-301-8247638 >> > > >>> Skype: fahad-ibm >> > > >>> http://pk.linkedin.com/in/muhammadfahadkhan >> > > >>> >> > > >>> >> > > >>> On Tue, Aug 3, 2010 at 12:02 AM, Quoc >> > Hoang <quocho...@yahoo.com >> > > <mailto: >> > > >>> quocho...@yahoo.com>> >> > wrote: >> > > >>> >> > > >>> I've deployed IPSEC VPNs between a pair >> > of SRX3600 and NS5400 without >> > > >>> issue. SRX was running Junos 9.5r3. >> > Performance wasn't great then. >> > > >>> >> > > >>> We recently ran into another vpn >> > performance issue on more recent code, >> > > >>> 10.0r2. Avoid running ipsec vpns on the >> > high end SRX till Juniper >> > > resolves >> > > >>> the issue unless you are planning to run >> > with a single SPC. The fix >> > > will >> > > >>> require an architectural change. >> > > >>> >> > > >>> Problem description: >> > > >>> Low throughput is experienced on the >> > Juniper high-end SRX line with >> > > >>> systems >> > > >>> that have multiple SPC’s. The issue >> > occurs when a tunnel anchor SPU and >> > > >>> the >> > > >>> clear text session SPU are different. The >> > problem exists because hash >> > > and >> > > >>> SEQ bit values in the switch header are >> > not accounted for properly when >> > > >>> forwarding the packet to alternative >> > SPU’s. >> > > >>> >> > > >>> >> > > >>> Quoc >> > > >>> >> > > >>> --- On Mon, 8/2/10, Fahad Khan <fahad.k...@gmail.com<mailto: >> > > >>> fahad.k...@gmail.com>> >> > wrote: >> > > >>> >> > > >>> From: Fahad Khan <fahad.k...@gmail.com<mailto: >> fahad.k...@gmail.com>> >> > > >>> >> > > >>> Subject: [j-nsp] Traffic drops on IPSEC - >> > SRX3600 >> > > >>> To: <mailto:juniper-nsp@puck.nether.net> >> > juniper-nsp@puck.nether.net >> > > >>> <mailto:juniper-nsp@puck.nether.net> >> > > >>> >> > > >>> Date: Monday, August 2, 2010, 4:48 AM >> > > >>> Hi folks, >> > > >>> >> > > >>> I am seeing very strange issue on SRX3600 >> > when the traffic >> > > >>> is flown through >> > > >>> an IPSEC VPN tunnel (established with >> > ISG2000), the tunnel >> > > >>> gets up and the >> > > >>> traffic flows properly, but suddenly >> > traffic drops, while >> > > >>> the tunnel remains >> > > >>> up. >> > > >>> >> > > >>> And it continues to flow after 15 to 20 >> > time out but again >> > > >>> it starts >> > > >>> droping. I am sure that there is no issue >> > at physical >> > > >>> layer. >> > > >>> >> > > >>> Has any body faced it yet?? >> > > >>> >> > > >>> Please reply ASAP. >> > > >>> >> > > >>> Thanks in adv >> > > >>> >> > > >>> regards >> > > >>> Muhammad Fahad Khan >> > > >>> JNCIP - M/T # 834 >> > > >>> IT Specialist >> > > >>> Global Technology Services, IBM >> > > >>> fa...@pk.ibm.com<mailto:fa...@pk.ibm.com> >> > > >>> >> > > >>> +92-301-8247638 >> > > >>> Skype: fahad-ibm >> > > >>> http://pk.linkedin.com/in/muhammadfahadkhan >> > > >>> >> > _______________________________________________ >> > > >>> juniper-nsp mailing list <mailto:juniper-nsp@puck.nether.net> >> > > >>> juniper-nsp@puck.nether.net<mailto:juniper-nsp@puck.nether.net> >> > > >>> >> > > >>> https://puck.nether.net/mailman/listinfo/juniper-nsp >> > > >>> >> > > >>> >> > > >>> >> > _______________________________________________ >> > > >>> juniper-nsp mailing list <mailto:juniper-nsp@puck.nether.net> >> > > >>> juniper-nsp@puck.nether.net<mailto:juniper-nsp@puck.nether.net> >> > > >>> >> > > >>> https://puck.nether.net/mailman/listinfo/juniper-nsp >> > > >>> >> > _______________________________________________ >> > > >>> juniper-nsp mailing list juniper-nsp@puck.nether.net >> > > >>> https://puck.nether.net/mailman/listinfo/juniper-nsp >> > > >>> >> > > >> >> > > >> >> > > >> >> > > >> -- >> > > >> Best Regards! >> > > >> >> > > >> Ivan Ivanov >> > > >> >> > > > _______________________________________________ >> > > > juniper-nsp mailing list juniper-nsp@puck.nether.net >> > > > https://puck.nether.net/mailman/listinfo/juniper-nsp >> > > > >> > > >> > _______________________________________________ >> > juniper-nsp mailing list juniper-nsp@puck.nether.net >> > https://puck.nether.net/mailman/listinfo/juniper-nsp >> > >> > > _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp