[j-nsp] SRX 3600 dropped packets - how to debug?

Wed, 22 May 2013 10:04:32 -0700

We've got an SRX 3600 in for testing. It's a simple config - two interfaces, one in untrust and another in trust, and two permit-all policies. No app-firewall, screens or other oddness. 

The device is logging a *lot* of dropped packets:

  Flow Statistics Summary:
    System total valid sessions: 111399
    Packets forwarded: 195797361
    Packets dropped: 6129373
    Fragment packets: 807440

...couple of seconds, and:

  Flow Statistics Summary:
    System total valid sessions: 112330
    Packets forwarded: 196037822
    Packets dropped: 6136348
    Fragment packets: 808420
i.e. about 500pps reported dropped. We are getting reports that this is affecting user connectivity on things like chat, gaming and audio/video. 

Load is not high, as I understand the capabilities of this platform:

admin@srx-eval> show security monitoring fpc 7
FPC 7
  PIC 0
    CPU utilization          :    9 %
    Memory utilization       :   61 %
    Current flow session     : 24565
    Current flow session IPv4: 23506
    Current flow session IPv6: 1059
    Max flow session         : 409600
    Current CP session       : 129202
    Current CP session   IPv4: 123997
    Current CP session   IPv6: 5205
    Max CP session           : 2359296
Total Session Creation Per Second (for last 96 seconds on average): 1841
IPv4  Session Creation Per Second (for last 96 seconds on average): 1794
IPv6  Session Creation Per Second (for last 96 seconds on average):   47

admin@srx-eval> show security monitoring fpc 9
FPC 9
  PIC 0
    CPU utilization          :   15 %
    Memory utilization       :   57 %
    Current flow session     : 47410
    Current flow session IPv4: 45348
    Current flow session IPv6: 2062
    Max flow session         : 819200
    Current CP session       :    0
    Current CP session   IPv4:    0
    Current CP session   IPv6:    0
    Max CP session           :    0
Total Session Creation Per Second (for last 96 seconds on average): 1841
IPv4  Session Creation Per Second (for last 96 seconds on average): 1795
IPv6  Session Creation Per Second (for last 96 seconds on average):   46

admin@srx-eval> show security monitoring fpc 11
FPC 11
  PIC 0
    CPU utilization          :   14 %
    Memory utilization       :   57 %
    Current flow session     : 48149
    Current flow session IPv4: 46097
    Current flow session IPv6: 2052
    Max flow session         : 819200
    Current CP session       :    0
    Current CP session   IPv4:    0
    Current CP session   IPv6:    0
    Max CP session           :    0
Total Session Creation Per Second (for last 96 seconds on average): 1844
IPv4  Session Creation Per Second (for last 96 seconds on average): 1797
IPv6  Session Creation Per Second (for last 96 seconds on average):   46
How can I determine what the dropped packets are, and why they're being dropped? 
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Reply via email to