All,
I actually got this figured out. Was due to a bad card. So we are fully deployed now. The only issue we seem to be having is very slow file transfer speeds from anything behind the SRX. Before cutting over from an ASA 5550 we were getting speeds uploading to S3 around 4-8mbps. Now we are getting 150-250kbps. Any ideas? I have checked the MTU and also did a MTU ping test all the way up the chain and it all looks good. Servers that are outside the firewall have no issues. Here is my sanitized config. Any help is appreciated: jeff> show configuration version 12.3X48-D30.7; system { internet-options { path-mtu-discovery; chassis { aggregated-devices { ethernet { device-count 2; } } } security { alg { dns disable; ftp disable; mgcp disable; msrpc disable; sunrpc disable; sccp disable; talk disable; tftp disable; pptp disable; } flow { tcp-session { no-sequence-check; } } nat { source { pool SourceNAT-pool { description "SourceNAT pool"; address { 69.X.X.2/32 to 69.X.X.3/32; 69.X.X.60/32 to 69.X.X.62/32; } } rule-set interface-nat { from zone LAN; to zone WAN; rule rule1 { match { source-address 0.0.0.0/0; destination-address 0.0.0.0/0; } then { source-nat { pool { SourceNAT-pool; } } } } } } policies { from-zone LAN to-zone WAN { policy permit-all { match { source-address any; destination-address any; application any; source-identity any; } then { permit; } } } from-zone WAN to-zone LAN { policy allow-xfernet { match { source-address XFERNET; destination-address any; application any; } then { permit; } } policy allow_web { match { source-address any; destination-address VIP_Servers_Internal; application [ junos-http junos-https http-8080 ]; } then { permit; } } policy permit_icmp_in { match { source-address any; destination-address any; application junos-icmp-all; } then { permit; } } } from-zone LAN to-zone LAN { policy LAN-to-LAN { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone WAN to-zone junos-host { policy Allow-Management { match { source-address XFERNET; destination-address LOCALHOST; application [ junos-ssh junos-http junos-https junos-icmp-all ]; } then { permit; log { session-close; } } } policy Deny-All-Else { match { source-address any; destination-address any; application any; } then { deny; log { session-init; } } } } } zones { security-zone LAN { host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { ae1.0 { host-inbound-traffic { system-services { all; } protocols { all; } } } } } security-zone WAN { host-inbound-traffic { system-services { ping; traceroute; ssh; http; https; ike; snmp; } } interfaces { ae0.0; } } } } interfaces { xe-1/0/0 { description WAN-ExternalSW-0303; gigether-options { 802.3ad ae0; } } xe-2/0/0 { description LAN-301-Te0/49; gigether-options { 802.3ad ae1; } } xe-4/0/1 { gigether-options { 802.3ad ae1; } } xe-5/0/0 { description WAN-ExternalSW-0302; gigether-options { 802.3ad ae0; } } ae0 { description WAN; aggregated-ether-options { link-speed 10g; } unit 0 { family inet { address 69.X.X.2/26; } } } ae1 { aggregated-ether-options { link-speed 10g; } unit 0 { family inet { address 10.X.X.1/16; jeffn> Regards, Jeffrey Nikoletich - Chief Information Officer | 213-201-6080 Xfernet | 1-855-XFERNETPh 213-201-6080 | http://www.xfernet.net _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp