See if this article helps you (juniper login required) http://kb.juniper.net/InfoCenter/index?page=content&id=KB16509&smlogin=true
On Tue, May 28, 2013 at 2:41 AM, Phil Mayers <p.may...@imperial.ac.uk>wrote: > On 05/27/2013 03:45 PM, OBrien, Will wrote: > > Are you using any alg? >> > > Ah ha... thanks for the nudge. The ALG settings are SRX-defaults: > > admin@srx-eval> show security alg status > ALG Status : > DNS : Enabled > FTP : Enabled > H323 : Disabled > MGCP : Disabled > MSRPC : Enabled > PPTP : Enabled > RSH : Enabled > RTSP : Disabled > SCCP : Disabled > SIP : Disabled > SQL : Enabled > SUNRPC : Enabled > TALK : Enabled > TFTP : Enabled > IKE-ESP : Disabled > > Disabling the DNS ALG significantly reduces the rate of counter > increments. Presumably the other traffic is other, less-used ALGs. > > So, the ALG(s) are suspect. > > That said, I can't believe the firewall was *actually* dropping 1500pps of > DNS traffic; we'd have widespread problems reported, surely. So, it seems > that maybe ALG-processed traffic is being counted under "packets dropped" > for "show security flow statistics"? > > A brief test from a linux box behind the firewall shows it can do > glibc-style getaddrinfo() calls (A and AAAA lookup from same UDP socket > back-to-back) and both requests and replies are forwarded with the ALG > enabled, so I'm disinclined to believe it's *actually* dropping. > > Does it seem reasonable that the counter is in error? > > ______________________________**_________________ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/**mailman/listinfo/juniper-nsp<https://puck.nether.net/mailman/listinfo/juniper-nsp> > _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp