Guys, The issues was related with Anti-replay errors that was causing stop decrypting packet.
When we disable Anti-replay service, The VPN starts passing traffic with out any issues. Thanks to all of you regards, Muhammad Fahad Khan JNCIP - M/T # 834 IT Specialist Global Technology Services, IBM fa...@pk.ibm.com +92-301-8247638 Skype: fahad-ibm http://pk.linkedin.com/in/muhammadfahadkhan On Tue, Aug 3, 2010 at 9:51 PM, Fahad Khan <fahad.k...@gmail.com> wrote: > Mind it, this is SRX3600 in Chassis Cluster environment. > > > regards, > > Muhammad Fahad Khan > JNCIP - M/T # 834 > IT Specialist > Global Technology Services, IBM > fa...@pk.ibm.com > +92-301-8247638 > Skype: fahad-ibm > http://pk.linkedin.com/in/muhammadfahadkhan > > > On Tue, Aug 3, 2010 at 9:50 PM, Fahad Khan <fahad.k...@gmail.com> wrote: > >> The strange issue is that, the drop is not related with the amount of >> traffic, it relates with the number of user (hence with the number of >> sessions perhaps) , since there was no drop when 4 or 5 users choke the link >> upto 90 MB, but when there comes 100 to 150 users in the building with even >> 10 or 20 MB of traffic, the traffic starts droping, still out of mind from >> Adv JTAC. we are still on Junos 10.0R3.10 as there is no any recommendations >> from JTAC to upgrade the Junos yet. >> >> Can any body provide the solution?? >> >> Thanks and regards, >> >> >> Muhammad Fahad Khan >> JNCIP - M/T # 834 >> IT Specialist >> Global Technology Services, IBM >> fa...@pk.ibm.com >> +92-301-8247638 >> Skype: fahad-ibm >> http://pk.linkedin.com/in/muhammadfahadkhan >> >> >> 2010/8/3 Quoc Hoang <quocho...@yahoo.com> >> >> Not sure what encryption algorithm is being used but we have noticed AES >>> and perhaps others as well on JunOS that it requires more overhead. >>> >>> Check your ipsec mss. JTAC has recommended mss 1350 (previously we had it >>> 1400 which was our default on the netscreens). It resolved one of our >>> performance issues. >>> >>> Hope that helps. >>> >>> quoc >>> >>> --- On Tue, 8/3/10, Fahad Khan <fahad.k...@gmail.com> wrote: >>> >>> > From: Fahad Khan <fahad.k...@gmail.com> >>> > Subject: Re: [j-nsp] Traffic drops on IPSEC - SRX3600 >>> > To: "Jérôme Fleury" <jer...@fleury.net> >>> > Cc: "juniper-nsp@puck.nether.net" <juniper-nsp@puck.nether.net> >>> > Date: Tuesday, August 3, 2010, 6:36 AM >>> > Hi Jerome, >>> > >>> > When are u gonna try that? >>> > >>> > Has any body got the solution??? >>> > >>> > regards, >>> > Muhammad Fahad Khan >>> > JNCIP - M/T # 834 >>> > IT Specialist >>> > Global Technology Services, IBM >>> > fa...@pk.ibm.com >>> > +92-301-8247638 >>> > Skype: fahad-ibm >>> > http://pk.linkedin.com/in/muhammadfahadkhan >>> > >>> > >>> > On Tue, Aug 3, 2010 at 3:18 PM, Jérôme Fleury <jer...@fleury.net> >>> > wrote: >>> > >>> > > Hi there, >>> > > >>> > > I think I'm experiencing the same issue here: >>> > > >>> > > SRX 3600 in cluster mode, running 10.1R2.8 >>> > > 1 SPC / 1 NPC per chassis >>> > > VPN in policy based mode with a remote CheckPoint >>> > > >>> > > I can clearly see packet loss in the way SRX -> >>> > Checkpoint, resulting >>> > > in very poor performances in the tunnel >>> > > >>> > > We'll try to upgrade to 10.1R3.7 to see if it fixes >>> > the issue. >>> > > >>> > > On Tue, Aug 3, 2010 at 09:38, Fahad Khan <fahad.k...@gmail.com> >>> > wrote: >>> > > > Very scary!!! >>> > > > >>> > > > regards, >>> > > > >>> > > > Muhammad Fahad Khan >>> > > > JNCIP - M/T # 834 >>> > > > IT Specialist >>> > > > Global Technology Services, IBM >>> > > > fa...@pk.ibm.com >>> > > > +92-301-8247638 >>> > > > Skype: fahad-ibm >>> > > > http://pk.linkedin.com/in/muhammadfahadkhan >>> > > > >>> > > > >>> > > > On Tue, Aug 3, 2010 at 9:35 AM, Ivan Ivanov >>> > <ivanov.i...@gmail.com> >>> > > wrote: >>> > > > >>> > > >> Hm, this sounds more than scary! >>> > > >> >>> > > >> Soon I will now if there is the same problem >>> > with 10.0R3.10 on 3600 >>> > > >> cluster. >>> > > >> >>> > > >> So now I have good experience with >>> > router-based VPNs starting from >>> > > >> routing-instance. Policy-based are working >>> > also, but I found >>> > > router-based >>> > > >> more scalable. But no with real traffic >>> > tested, until end of the week I >>> > > will >>> > > >> let you know. >>> > > >> >>> > > >> Ivan, >>> > > >> >>> > > >> On Mon, Aug 2, 2010 at 23:58, Amos Rosenboim >>> > <a...@oasis-tech.net> >>> > > wrote: >>> > > >> >>> > > >>> As far as I know the code you are running >>> > is the recommended version by >>> > > >>> Juniper. >>> > > >>> However it's important to mention that I >>> > have no experience with the >>> > > high >>> > > >>> end SRX boxes. >>> > > >>> The stuff mentioned below by quoc sounds >>> > a little scary to me. >>> > > >>> >>> > > >>> Amos >>> > > >>> >>> > > >>> Sent from my iPhone >>> > > >>> >>> > > >>> On 2 Aug 2010, at 23:44, "Fahad Khan" >>> > <fahad.k...@gmail.com<mailto: >>> > > >>> fahad.k...@gmail.com>> >>> > wrote: >>> > > >>> >>> > > >>> I have 3 SPCs and 3 NPCs and running >>> > Junos 10.0R3.10, should I need to >>> > > >>> upgrade junos? >>> > > >>> >>> > > >>> regards, >>> > > >>> >>> > > >>> >>> > > >>> Muhammad Fahad Khan >>> > > >>> JNCIP - M/T # 834 >>> > > >>> IT Specialist >>> > > >>> Global Technology Services, IBM >>> > > >>> fa...@pk.ibm.com<mailto:fa...@pk.ibm.com> >>> > > >>> >>> > > >>> +92-301-8247638 >>> > > >>> Skype: fahad-ibm >>> > > >>> http://pk.linkedin.com/in/muhammadfahadkhan >>> > > >>> >>> > > >>> >>> > > >>> On Tue, Aug 3, 2010 at 12:02 AM, Quoc >>> > Hoang <quocho...@yahoo.com >>> > > <mailto: >>> > > >>> quocho...@yahoo.com>> >>> > wrote: >>> > > >>> >>> > > >>> I've deployed IPSEC VPNs between a pair >>> > of SRX3600 and NS5400 without >>> > > >>> issue. SRX was running Junos 9.5r3. >>> > Performance wasn't great then. >>> > > >>> >>> > > >>> We recently ran into another vpn >>> > performance issue on more recent code, >>> > > >>> 10.0r2. Avoid running ipsec vpns on the >>> > high end SRX till Juniper >>> > > resolves >>> > > >>> the issue unless you are planning to run >>> > with a single SPC. The fix >>> > > will >>> > > >>> require an architectural change. >>> > > >>> >>> > > >>> Problem description: >>> > > >>> Low throughput is experienced on the >>> > Juniper high-end SRX line with >>> > > >>> systems >>> > > >>> that have multiple SPC’s. The issue >>> > occurs when a tunnel anchor SPU and >>> > > >>> the >>> > > >>> clear text session SPU are different. The >>> > problem exists because hash >>> > > and >>> > > >>> SEQ bit values in the switch header are >>> > not accounted for properly when >>> > > >>> forwarding the packet to alternative >>> > SPU’s. >>> > > >>> >>> > > >>> >>> > > >>> Quoc >>> > > >>> >>> > > >>> --- On Mon, 8/2/10, Fahad Khan <fahad.k...@gmail.com<mailto: >>> > > >>> fahad.k...@gmail.com>> >>> > wrote: >>> > > >>> >>> > > >>> From: Fahad Khan <fahad.k...@gmail.com<mailto: >>> fahad.k...@gmail.com>> >>> > > >>> >>> > > >>> Subject: [j-nsp] Traffic drops on IPSEC - >>> > SRX3600 >>> > > >>> To: <mailto:juniper-nsp@puck.nether.net> >>> > juniper-nsp@puck.nether.net >>> > > >>> <mailto:juniper-nsp@puck.nether.net> >>> > > >>> >>> > > >>> Date: Monday, August 2, 2010, 4:48 AM >>> > > >>> Hi folks, >>> > > >>> >>> > > >>> I am seeing very strange issue on SRX3600 >>> > when the traffic >>> > > >>> is flown through >>> > > >>> an IPSEC VPN tunnel (established with >>> > ISG2000), the tunnel >>> > > >>> gets up and the >>> > > >>> traffic flows properly, but suddenly >>> > traffic drops, while >>> > > >>> the tunnel remains >>> > > >>> up. >>> > > >>> >>> > > >>> And it continues to flow after 15 to 20 >>> > time out but again >>> > > >>> it starts >>> > > >>> droping. I am sure that there is no issue >>> > at physical >>> > > >>> layer. >>> > > >>> >>> > > >>> Has any body faced it yet?? >>> > > >>> >>> > > >>> Please reply ASAP. >>> > > >>> >>> > > >>> Thanks in adv >>> > > >>> >>> > > >>> regards >>> > > >>> Muhammad Fahad Khan >>> > > >>> JNCIP - M/T # 834 >>> > > >>> IT Specialist >>> > > >>> Global Technology Services, IBM >>> > > >>> fa...@pk.ibm.com<mailto:fa...@pk.ibm.com> >>> > > >>> >>> > > >>> +92-301-8247638 >>> > > >>> Skype: fahad-ibm >>> > > >>> http://pk.linkedin.com/in/muhammadfahadkhan >>> > > >>> >>> > _______________________________________________ >>> > > >>> juniper-nsp mailing list <mailto:juniper-nsp@puck.nether.net> >>> > > >>> juniper-nsp@puck.nether.net<mailto:juniper-nsp@puck.nether.net> >>> > > >>> >>> > > >>> https://puck.nether.net/mailman/listinfo/juniper-nsp >>> > > >>> >>> > > >>> >>> > > >>> >>> > _______________________________________________ >>> > > >>> juniper-nsp mailing list <mailto:juniper-nsp@puck.nether.net> >>> > > >>> juniper-nsp@puck.nether.net<mailto:juniper-nsp@puck.nether.net> >>> > > >>> >>> > > >>> https://puck.nether.net/mailman/listinfo/juniper-nsp >>> > > >>> >>> > _______________________________________________ >>> > > >>> juniper-nsp mailing list juniper-nsp@puck.nether.net >>> > > >>> https://puck.nether.net/mailman/listinfo/juniper-nsp >>> > > >>> >>> > > >> >>> > > >> >>> > > >> >>> > > >> -- >>> > > >> Best Regards! >>> > > >> >>> > > >> Ivan Ivanov >>> > > >> >>> > > > _______________________________________________ >>> > > > juniper-nsp mailing list juniper-nsp@puck.nether.net >>> > > > https://puck.nether.net/mailman/listinfo/juniper-nsp >>> > > > >>> > > >>> > _______________________________________________ >>> > juniper-nsp mailing list juniper-nsp@puck.nether.net >>> > https://puck.nether.net/mailman/listinfo/juniper-nsp >>> > >>> >> >> > _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp