Re: [j-nsp] SRX - CPU utilization exceeds

2017-09-18 Thread sameer mughal 
Hi,

Thanks!

This is SRX Model: srx220h2 - JUNOS Software Release [12.1X46-D35.1] and
traffic is IP not IPSEC. Traffic is IP BGP and route map also configured.
Traffic is pushing around 70 to 80 Mbps.
Please advice.


On Tue, Sep 19, 2017 at 12:20 AM, Hugo Slabbert  wrote:

> On Mon 2017-Sep-18 10:07:36 +0200, Benoit Plessis 
> wrote:
>
> Le 16/09/2017 à 07:48, sameer mughal a écrit :
>>
>>> Hi,
>>>
>>> Can anyone please review the mentioned below logs and advice me Is this
>>> issue critical and how can I fix this ?
>>>
>>
>> Well your firewall is alerting that it is regurlarly out of ressources.
>>
>> I would check if it's due to something you do (modifying configuration
>> at this time),
>> or if it's due to external conditions ("attacks" / scan / ..)
>>
>> Depend on that and on the service impact i would try to simplify
>> configuration, update the software
>> or more probably start to look at upgrading the device since it kindof
>> look inadequat to your need.
>>
>> Do you have some external monitoring in place with a graphing system to
>> look after you firewall ?
>>
>
> This can even just be throughput based, especially for flow services as
> opposed to just packet-mode forwarding.  I've had instances of this from
> e.g. pushing >50-60 Mbps of IPSEC on SRX100 boxes.
>
> --
> Hugo Slabbert   | email, xmpp/jabber: h...@slabnet.com
> pgp key: B178313E   | also on Signal
>
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] SRX - CPU utilization exceeds

2017-09-18 Thread Hugo Slabbert 
On Mon 2017-Sep-18 10:07:36 +0200, Benoit Plessis  
wrote:



Le 16/09/2017 à 07:48, sameer mughal a écrit :

Hi,

Can anyone please review the mentioned below logs and advice me Is this
issue critical and how can I fix this ?


Well your firewall is alerting that it is regurlarly out of ressources.

I would check if it's due to something you do (modifying configuration
at this time),
or if it's due to external conditions ("attacks" / scan / ..)

Depend on that and on the service impact i would try to simplify
configuration, update the software
or more probably start to look at upgrading the device since it kindof
look inadequat to your need.

Do you have some external monitoring in place with a graphing system to
look after you firewall ?


This can even just be throughput based, especially for flow services as 
opposed to just packet-mode forwarding.  I've had instances of this from 
e.g. pushing >50-60 Mbps of IPSEC on SRX100 boxes.


--
Hugo Slabbert   | email, xmpp/jabber: h...@slabnet.com
pgp key: B178313E   | also on Signal


signature.asc
Description: Digital signature
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Odd issue with logical-system

2017-09-18 Thread Eric Van Tol 
> Is the correct interface and unit number specified inside the logical-system
> on both sides?  

Yes - the issue isn't basic connectivity. I can see the inbound tcp syn on LS1, 
but it doesn't respond back. I have even deleted every lo0 filter on the router 
because that's the most obvious reason for dropping packets.

> Have you tried deleting the config, commit full, rollback?

I haven't done a commit full, but I've deleted the LS and added it back in, 
changed the loopback unit number and changed the BGP source address in LS1, all 
to no avail.
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Odd issue with logical-system

2017-09-18 Thread Chuck Anderson 
On Mon, Sep 18, 2017 at 01:12:36PM +, Eric Van Tol wrote:
> > Have you tried enabling BGP traceoptions to see if that logs more useful
> > diagnostics?
> 
> Yes, per my first message:
> 
> >I also see absolutely nothing when I enable traceoptions on the 
> >peer in LS1 and with MX2 attempting to contact LS1
> 
> Nothing helpful in those, with all flags enabled, both sides show the same 
> thing:
> 
> bgp_connect_complete: error connecting to x.x.x.x (Internal AS x): Socket 
> is not connected
> 
> Again, I don't even see a TCP SYN being sent in the 'monitor traffic 
> interface' output on the only active interface in LS1, as though it's being 
> dropped before it even hits the wire.

Is the correct interface and unit number specified inside the logical-system on 
both sides?  Have you tried deleting the config, commit full, rollback?
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Odd issue with logical-system

2017-09-18 Thread Eric Van Tol 
> Have you tried enabling BGP traceoptions to see if that logs more useful
> diagnostics?

Yes, per my first message:

>I also see absolutely nothing when I enable traceoptions on the 
>peer in LS1 and with MX2 attempting to contact LS1

Nothing helpful in those, with all flags enabled, both sides show the same 
thing:

bgp_connect_complete: error connecting to x.x.x.x (Internal AS x): Socket 
is not connected

Again, I don't even see a TCP SYN being sent in the 'monitor traffic interface' 
output on the only active interface in LS1, as though it's being dropped before 
it even hits the wire.

-evt
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] SRX - CPU utilization exceeds

2017-09-18 Thread Benoit Plessis 
Le 16/09/2017 à 07:48, sameer mughal a écrit :
> Hi,
>
> Can anyone please review the mentioned below logs and advice me Is this
> issue critical and how can I fix this ?

Well your firewall is alerting that it is regurlarly out of ressources.

I would check if it's due to something you do (modifying configuration
at this time),
or if it's due to external conditions ("attacks" / scan / ..)

Depend on that and on the service impact i would try to simplify
configuration, update the software
or more probably start to look at upgrading the device since it kindof
look inadequat to your need.

Do you have some external monitoring in place with a graphing system to
look after you firewall ?


___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp