Re: [j-nsp] SRX - CPU utilization exceeds
Hi, Thanks! This is SRX Model: srx220h2 - JUNOS Software Release [12.1X46-D35.1] and traffic is IP not IPSEC. Traffic is IP BGP and route map also configured. Traffic is pushing around 70 to 80 Mbps. Please advice. On Tue, Sep 19, 2017 at 12:20 AM, Hugo Slabbertwrote: > On Mon 2017-Sep-18 10:07:36 +0200, Benoit Plessis > wrote: > > Le 16/09/2017 à 07:48, sameer mughal a écrit : >> >>> Hi, >>> >>> Can anyone please review the mentioned below logs and advice me Is this >>> issue critical and how can I fix this ? >>> >> >> Well your firewall is alerting that it is regurlarly out of ressources. >> >> I would check if it's due to something you do (modifying configuration >> at this time), >> or if it's due to external conditions ("attacks" / scan / ..) >> >> Depend on that and on the service impact i would try to simplify >> configuration, update the software >> or more probably start to look at upgrading the device since it kindof >> look inadequat to your need. >> >> Do you have some external monitoring in place with a graphing system to >> look after you firewall ? >> > > This can even just be throughput based, especially for flow services as > opposed to just packet-mode forwarding. I've had instances of this from > e.g. pushing >50-60 Mbps of IPSEC on SRX100 boxes. > > -- > Hugo Slabbert | email, xmpp/jabber: h...@slabnet.com > pgp key: B178313E | also on Signal > > ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX - CPU utilization exceeds
On Mon 2017-Sep-18 10:07:36 +0200, Benoit Plessiswrote: Le 16/09/2017 à 07:48, sameer mughal a écrit : Hi, Can anyone please review the mentioned below logs and advice me Is this issue critical and how can I fix this ? Well your firewall is alerting that it is regurlarly out of ressources. I would check if it's due to something you do (modifying configuration at this time), or if it's due to external conditions ("attacks" / scan / ..) Depend on that and on the service impact i would try to simplify configuration, update the software or more probably start to look at upgrading the device since it kindof look inadequat to your need. Do you have some external monitoring in place with a graphing system to look after you firewall ? This can even just be throughput based, especially for flow services as opposed to just packet-mode forwarding. I've had instances of this from e.g. pushing >50-60 Mbps of IPSEC on SRX100 boxes. -- Hugo Slabbert | email, xmpp/jabber: h...@slabnet.com pgp key: B178313E | also on Signal signature.asc Description: Digital signature ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Odd issue with logical-system
> Is the correct interface and unit number specified inside the logical-system > on both sides? Yes - the issue isn't basic connectivity. I can see the inbound tcp syn on LS1, but it doesn't respond back. I have even deleted every lo0 filter on the router because that's the most obvious reason for dropping packets. > Have you tried deleting the config, commit full, rollback? I haven't done a commit full, but I've deleted the LS and added it back in, changed the loopback unit number and changed the BGP source address in LS1, all to no avail. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Odd issue with logical-system
On Mon, Sep 18, 2017 at 01:12:36PM +, Eric Van Tol wrote: > > Have you tried enabling BGP traceoptions to see if that logs more useful > > diagnostics? > > Yes, per my first message: > > >I also see absolutely nothing when I enable traceoptions on the > >peer in LS1 and with MX2 attempting to contact LS1 > > Nothing helpful in those, with all flags enabled, both sides show the same > thing: > > bgp_connect_complete: error connecting to x.x.x.x (Internal AS x): Socket > is not connected > > Again, I don't even see a TCP SYN being sent in the 'monitor traffic > interface' output on the only active interface in LS1, as though it's being > dropped before it even hits the wire. Is the correct interface and unit number specified inside the logical-system on both sides? Have you tried deleting the config, commit full, rollback? ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Odd issue with logical-system
> Have you tried enabling BGP traceoptions to see if that logs more useful > diagnostics? Yes, per my first message: >I also see absolutely nothing when I enable traceoptions on the >peer in LS1 and with MX2 attempting to contact LS1 Nothing helpful in those, with all flags enabled, both sides show the same thing: bgp_connect_complete: error connecting to x.x.x.x (Internal AS x): Socket is not connected Again, I don't even see a TCP SYN being sent in the 'monitor traffic interface' output on the only active interface in LS1, as though it's being dropped before it even hits the wire. -evt ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX - CPU utilization exceeds
Le 16/09/2017 à 07:48, sameer mughal a écrit : > Hi, > > Can anyone please review the mentioned below logs and advice me Is this > issue critical and how can I fix this ? Well your firewall is alerting that it is regurlarly out of ressources. I would check if it's due to something you do (modifying configuration at this time), or if it's due to external conditions ("attacks" / scan / ..) Depend on that and on the service impact i would try to simplify configuration, update the software or more probably start to look at upgrading the device since it kindof look inadequat to your need. Do you have some external monitoring in place with a graphing system to look after you firewall ? ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp