Re: [j-nsp] SRX 3600 dropped packets - how to debug?

Mon, 27 May 2013 03:09:02 -0700 

On 27/05/2013 10:44, Phil Mayers wrote:

On 05/27/2013 10:41 AM, Pavel Lunin wrote:



22.05.2013 21:01, Phil Mayers wrote:

How can I determine what the dropped packets are, and why they're
being dropped?


"show interfaces extensive" and check out "Flow error statistics
(Packets dropped due to):"


Nothing in there corresponding to the numbers/rates I'm seeing on the
"show security flow statistics"


Another place to look at: "show security screen statistics zone/iface."


As I believe I said, the screens are all disabled.



By way of elaboration:

admin@srx-eval> show security flow statistics | match dropped | refresh 2
---(refreshed at 2013-05-27 11:01:03 BST)---
    Packets dropped: 72232499
    Packets dropped: 142788174
    Packets dropped: 145382728
    Packets dropped: 360403401
---(refreshed at 2013-05-27 11:01:05 BST)---
    Packets dropped: 72232835
    Packets dropped: 142788815
    Packets dropped: 145385883
    Packets dropped: 360407533
---(*more 100%)---[abort]


Note the "total" packets dropped (4th item) claims to be climbing at 
~1500pps, on the above sample. At the same time "sh int extensive" for 
the relevant interfaces says:


    Flow Input statistics :
      Self packets :                     50680
      ICMP packets :                     2950329
      VPN packets :                      0
      Multicast packets :                1228
      Bytes permitted by policy :        13201459013373
      Connections established :          8925850
    Flow Output statistics:
      Multicast packets :                0
      Bytes permitted by policy :        3161441830843
    Flow error statistics (Packets dropped due to):
      Address spoofing:                  0
      Authentication failed:             0
      Incoming NAT errors:               0
      Invalid zone received packet:      0
      Multiple user authentications:     0
      Multiple incoming NAT:             0
      No parent for a gate:              0
      No one interested in self packets: 0
      No minor session:                  0
      No more sessions:                  0
      No NAT gate:                       0
      No route present:                  18570
      No SA for incoming SPI:            0
      No tunnel found:                   0
      No session for a gate:             0
      No zone or NULL zone binding       0
      Policy denied:                     0
      Security association not active:   0
      TCP sequence number out of window: 0
      Syn-attack protection:             0
      User authentication errors:        0


...over the *entire* lifetime of the box. So, pretty clearly not enough 
for 1500pps of denies.


As for the screens:

admin@srx-eval> show security screen statistics zone trust
error: "screen object not found for this zone/interface"

admin@srx-eval> show security screen statistics zone untrust
error: "screen object not found for this zone/interface"

_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp























					Reply via email to