Might want to set your tcp-mss. I have always done this for bets success. https://kb.juniper.net/InfoCenter/index?page=content&id=KB30687&actp=RSS
Regards Mike On 23 August 2016 at 05:42, Jeffrey Nikoletich <je...@xfernet.com> wrote: > All, > > > > I actually got this figured out. Was due to a bad card. So we are fully > deployed now. The only issue we seem to be having is very slow file > transfer speeds from anything behind the SRX. > > > > Before cutting over from an ASA 5550 we were getting speeds uploading to S3 > around 4-8mbps. Now we are getting 150-250kbps. Any ideas? I have checked > the MTU and also did a MTU ping test all the way up the chain and it all > looks good. Servers that are outside the firewall have no issues. > > > > Here is my sanitized config. Any help is appreciated: > > > > jeff> show configuration > > version 12.3X48-D30.7; > > system { > > internet-options { > > path-mtu-discovery; > > chassis { > > aggregated-devices { > > ethernet { > > device-count 2; > > } > > } > > } > > security { > > alg { > > dns disable; > > ftp disable; > > mgcp disable; > > msrpc disable; > > sunrpc disable; > > sccp disable; > > talk disable; > > tftp disable; > > pptp disable; > > } > > flow { > > tcp-session { > > no-sequence-check; > > } > > } > > nat { > > source { > > pool SourceNAT-pool { > > description "SourceNAT pool"; > > address { > > 69.X.X.2/32 to 69.X.X.3/32; > > 69.X.X.60/32 to 69.X.X.62/32; > > } > > } > > rule-set interface-nat { > > from zone LAN; > > to zone WAN; > > rule rule1 { > > match { > > source-address 0.0.0.0/0; > > destination-address 0.0.0.0/0; > > } > > then { > > source-nat { > > pool { > > SourceNAT-pool; > > } > > } > > } > > } > > } > > } > > policies { > > from-zone LAN to-zone WAN { > > policy permit-all { > > match { > > source-address any; > > destination-address any; > > application any; > > source-identity any; > > } > > then { > > permit; > > } > > } > > } > > from-zone WAN to-zone LAN { > > policy allow-xfernet { > > match { > > source-address XFERNET; > > destination-address any; > > application any; > > } > > then { > > permit; > > } > > } > > policy allow_web { > > match { > > source-address any; > > destination-address VIP_Servers_Internal; > > application [ junos-http junos-https http-8080 ]; > > } > > then { > > permit; > > } > > } > > policy permit_icmp_in { > > match { > > source-address any; > > destination-address any; > > application junos-icmp-all; > > } > > then { > > permit; > > } > > } > > } > > from-zone LAN to-zone LAN { > > policy LAN-to-LAN { > > match { > > source-address any; > > destination-address any; > > application any; > > } > > then { > > permit; > > } > > } > > } > > from-zone WAN to-zone junos-host { > > policy Allow-Management { > > match { > > source-address XFERNET; > > destination-address LOCALHOST; > > application [ junos-ssh junos-http junos-https > junos-icmp-all ]; > > } > > then { > > permit; > > log { > > session-close; > > } > > } > > } > > policy Deny-All-Else { > > match { > > source-address any; > > destination-address any; > > application any; > > } > > then { > > deny; > > log { > > session-init; > > } > > } > > } > > } > > } > > zones { > > security-zone LAN { > > host-inbound-traffic { > > system-services { > > all; > > } > > protocols { > > all; > > } > > } > > interfaces { > > ae1.0 { > > host-inbound-traffic { > > system-services { > > all; > > } > > protocols { > > all; > > } > > } > > } > > } > > } > > security-zone WAN { > > host-inbound-traffic { > > system-services { > > ping; > > traceroute; > > ssh; > > http; > > https; > > ike; > > snmp; > > } > > } > > interfaces { > > ae0.0; > > } > > } > > } > > } > > interfaces { > > xe-1/0/0 { > > description WAN-ExternalSW-0303; > > gigether-options { > > 802.3ad ae0; > > } > > } > > xe-2/0/0 { > > description LAN-301-Te0/49; > > gigether-options { > > 802.3ad ae1; > > } > > } > > xe-4/0/1 { > > gigether-options { > > 802.3ad ae1; > > } > > } > > xe-5/0/0 { > > description WAN-ExternalSW-0302; > > gigether-options { > > 802.3ad ae0; > > } > > } > > ae0 { > > description WAN; > > aggregated-ether-options { > > link-speed 10g; > > } > > unit 0 { > > family inet { > > address 69.X.X.2/26; > > } > > } > > } > > ae1 { > > aggregated-ether-options { > > link-speed 10g; > > } > > unit 0 { > > family inet { > > address 10.X.X.1/16; > > jeffn> > > > Regards, > > Jeffrey Nikoletich - Chief Information Officer | 213-201-6080 > > Xfernet > | 1-855-XFERNETPh 213-201-6080 | http://www.xfernet.net > _______________________________________________ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > -- Michael Gehrmann Senior Network Engineer - Atlassian m: +61 407 570 658 _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp