Re: [j-nsp] SRX Deployment Questions

2016-08-23 Thread Jeffrey Nikoletich 
Hello,



This is the version.



JUNOS Software Release [12.3X48-D30.7]



I do not think I am using SOF. Where can I find some reference material to
that?



*

Regards,

Jeffrey Nikoletich - Chief Information Officer | 213-201-6080

Xfernet
 | 1-855-XFERNETPh  213-201-6080 | http://www.xfernet.net
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] SRX Deployment Questions

2016-08-23 Thread Alexander Arseniev 

Hello,

What is the JUNOS version? Are You using Services Offload/SOF?

LAG with SOF is supported from JUNOS 12.1X47-D10.

Thanks
Alex


On 23/08/2016 10:25, Jeffrey Nikoletich wrote:

Thanks. I checked that and it all is clean. No matter what interface of the
AE I disable, the results are the same. If I have both interfaces online in
the AE, the speeds are slow. If I only have 1 in the AE, speeds are normal.



At a little bit of a loss here.



*

Regards,

Jeffrey Nikoletich - Chief Information Officer | 213-201-6080

Xfernet
  | 1-855-XFERNETPh  213-201-6080 | http://www.xfernet.net
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp


___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] SRX Deployment Questions

2016-08-23 Thread Jeffrey Nikoletich 
Thanks. I checked that and it all is clean. No matter what interface of the
AE I disable, the results are the same. If I have both interfaces online in
the AE, the speeds are slow. If I only have 1 in the AE, speeds are normal.



At a little bit of a loss here.



*

Regards,

Jeffrey Nikoletich - Chief Information Officer | 213-201-6080

Xfernet
 | 1-855-XFERNETPh  213-201-6080 | http://www.xfernet.net
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] SRX Deployment Questions

2016-08-23 Thread Alexander Arseniev 

Hello there,

Looks like You have a dirty optic/bent cable/incompletely plugged-in 
connector in that one.


Check the light levels and PCS errors section in "show interfaces 
extensive xe-x/x/x" printout, it may get You some clues.


HTH
Thx
Alex

On 23/08/2016 09:43, Jeffrey Nikoletich wrote:

So I did some testing with the tcp-mss setting and they did not seem to
help. Oddly enough when I disabled one of the AE interfaces (xe-x/x/x) I
then was able to get ample speeds. Any idea why? Is there a way to have AE
interfaces in a active/passive setup?



*

Regards,

Jeffrey Nikoletich - Chief Information Officer | 213-201-6080

Xfernet
  | 1-855-XFERNETPh  213-201-6080 | http://www.xfernet.net
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp


___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] SRX Deployment Questions

2016-08-23 Thread Jeffrey Nikoletich 
So I did some testing with the tcp-mss setting and they did not seem to
help. Oddly enough when I disabled one of the AE interfaces (xe-x/x/x) I
then was able to get ample speeds. Any idea why? Is there a way to have AE
interfaces in a active/passive setup?



*

Regards,

Jeffrey Nikoletich - Chief Information Officer | 213-201-6080

Xfernet
 | 1-855-XFERNETPh  213-201-6080 | http://www.xfernet.net
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] SRX Deployment Questions

2016-08-23 Thread Jeffrey Nikoletich 
What do you guys recommend?



*

Regards,

Jeffrey Nikoletich - Chief Information Officer | 213-201-6080

Xfernet
 | 1-855-XFERNETPh  213-201-6080 | http://www.xfernet.net
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] SRX Deployment Questions

2016-08-22 Thread Michael Gehrmann 
Might want to set your tcp-mss. I have always done this for bets success.

https://kb.juniper.net/InfoCenter/index?page=content&id=KB30687&actp=RSS

Regards
Mike

On 23 August 2016 at 05:42, Jeffrey Nikoletich  wrote:

> All,
>
>
>
> I actually got this figured out. Was due to a bad card. So we are fully
> deployed now. The only issue we seem to be having is very slow file
> transfer speeds from anything behind the SRX.
>
>
>
> Before cutting over from an ASA 5550 we were getting speeds uploading to S3
> around 4-8mbps. Now we are getting 150-250kbps. Any ideas? I have checked
> the MTU and also did a MTU ping test all the way up the chain and it all
> looks good. Servers that are outside the firewall have no issues.
>
>
>
> Here is my sanitized config. Any help is appreciated:
>
>
>
> jeff> show configuration
>
> version 12.3X48-D30.7;
>
> system {
>
> internet-options {
>
> path-mtu-discovery;
>
> chassis {
>
> aggregated-devices {
>
> ethernet {
>
> device-count 2;
>
> }
>
> }
>
> }
>
> security {
>
> alg {
>
> dns disable;
>
> ftp disable;
>
> mgcp disable;
>
> msrpc disable;
>
> sunrpc disable;
>
> sccp disable;
>
> talk disable;
>
> tftp disable;
>
> pptp disable;
>
> }
>
> flow {
>
> tcp-session {
>
> no-sequence-check;
>
> }
>
> }
>
> nat {
>
> source {
>
> pool SourceNAT-pool {
>
> description "SourceNAT pool";
>
> address {
>
> 69.X.X.2/32 to 69.X.X.3/32;
>
> 69.X.X.60/32 to 69.X.X.62/32;
>
> }
>
> }
>
> rule-set interface-nat {
>
> from zone LAN;
>
> to zone WAN;
>
> rule rule1 {
>
> match {
>
> source-address 0.0.0.0/0;
>
> destination-address 0.0.0.0/0;
>
> }
>
> then {
>
> source-nat {
>
> pool {
>
> SourceNAT-pool;
>
> }
>
> }
>
> }
>
> }
>
> }
>
> }
>
> policies {
>
> from-zone LAN to-zone WAN {
>
> policy permit-all {
>
> match {
>
> source-address any;
>
> destination-address any;
>
> application any;
>
> source-identity any;
>
> }
>
> then {
>
> permit;
>
> }
>
> }
>
> }
>
> from-zone WAN to-zone LAN {
>
> policy allow-xfernet {
>
> match {
>
> source-address XFERNET;
>
> destination-address any;
>
> application any;
>
> }
>
> then {
>
> permit;
>
> }
>
> }
>
> policy allow_web {
>
> match {
>
> source-address any;
>
> destination-address VIP_Servers_Internal;
>
> application [ junos-http junos-https http-8080 ];
>
> }
>
> then {
>
> permit;
>
> }
>
> }
>
> policy permit_icmp_in {
>
> match {
>
> source-address any;
>
> destination-address any;
>
> application junos-icmp-all;
>
> }
>
> then {
>
> permit;
>
> }
>
> }
>
> }
>
> from-zone LAN to-zone LAN {
>
>policy LAN-to-LAN {
>
> match {
>
> source-address any;
>
> destination-address any;
>
> application any;
>
> }
>
> then {
>
> permit;
>
> }
>
> }
>
> }
>
> from-zone WAN to-zone junos-host {
>
> policy Allow-Management {
>
> match {
>
> source-address XFERNET;
>
> destination-address LOCALHOST;
>
> application [ junos-ssh junos-http junos-https
> junos-icmp-all ];
>
> }
>
> then {
>
>permit;
>
> log {
>
> session-close;
>
> }
>
> }
>
> }
>
> policy Deny-All-Else {
>
> match {
>
> source-address any;
>
> destination-address any;
>
> application any;
>
> }
>
>

Re: [j-nsp] SRX Deployment Questions

2016-08-22 Thread Mehul Gajjar 
lacp need to configured on l3. not sure but not  possible to change hash

Cheers !!!
Mehul


On Mon, Aug 22, 2016 at 11:36 PM, Payam Chychi  wrote:
> Check your load balancing hash, normally this is by default set to hash
> based on layer3/4 dst info, this means that if you are sending all traffic
> from one src to the same dst ip/port, it will only hash and bind to one
> interface.
>
>
>
> On Wednesday, 17 August 2016, Jeffrey Nikoletich  wrote:
>
>> Hello,
>>
>> We have a SRX we are deploying and are having some issues and some
>> guidance would be great. We have a SRX 3600 and want to deploy in the
>> following manner:
>>
>> It is connected via 2 Dell S55 External switches. 1 10G drop per switch.
>> We will call that subnet 1.1.1.0/24.
>>
>> On the Internal side. It is connected to 6 x Dell S55 switches. 1 10G drop
>> per switch. We will call that 10.0.0.0/24.
>>
>> For the internal, I setup a AE interface that has all 6 x 10G ports in it.
>> External has an AE interface as well. External is AE0 and internal is AE1.
>>
>> The issue I am have was it seems that the AE interfaces were only passing
>> traffic via a single interface? Any reason why?
>>
>> Also does this setup look "sane" just wanted some feedback as this is our
>> first SRX deployment.
>>
>> Thanks in advance.
>>
>> Regards,
>>
>> Jeffrey Nikoletich - Chief Information Officer | 213-201-6080
>>
>> Xfernet
>>  | 1-855-XFERNETPh  213-201-6080 | http://www.xfernet.net
>> ___
>> juniper-nsp mailing list juniper-nsp@puck.nether.net 
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>
>
>
> --
> Payam Tarverdyan Chychi
> Network Security Specialist / Network Engineer
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] SRX Deployment Questions

2016-08-22 Thread Jeffrey Nikoletich 
All,



I actually got this figured out. Was due to a bad card. So we are fully
deployed now. The only issue we seem to be having is very slow file
transfer speeds from anything behind the SRX.



Before cutting over from an ASA 5550 we were getting speeds uploading to S3
around 4-8mbps. Now we are getting 150-250kbps. Any ideas? I have checked
the MTU and also did a MTU ping test all the way up the chain and it all
looks good. Servers that are outside the firewall have no issues.



Here is my sanitized config. Any help is appreciated:



jeff> show configuration

version 12.3X48-D30.7;

system {

internet-options {

path-mtu-discovery;

chassis {

aggregated-devices {

ethernet {

device-count 2;

}

}

}

security {

alg {

dns disable;

ftp disable;

mgcp disable;

msrpc disable;

sunrpc disable;

sccp disable;

talk disable;

tftp disable;

pptp disable;

}

flow {

tcp-session {

no-sequence-check;

}

}

nat {

source {

pool SourceNAT-pool {

description "SourceNAT pool";

address {

69.X.X.2/32 to 69.X.X.3/32;

69.X.X.60/32 to 69.X.X.62/32;

}

}

rule-set interface-nat {

from zone LAN;

to zone WAN;

rule rule1 {

match {

source-address 0.0.0.0/0;

destination-address 0.0.0.0/0;

}

then {

source-nat {

pool {

SourceNAT-pool;

}

}

}

}

}

}

policies {

from-zone LAN to-zone WAN {

policy permit-all {

match {

source-address any;

destination-address any;

application any;

source-identity any;

}

then {

permit;

}

}

}

from-zone WAN to-zone LAN {

policy allow-xfernet {

match {

source-address XFERNET;

destination-address any;

application any;

}

then {

permit;

}

}

policy allow_web {

match {

source-address any;

destination-address VIP_Servers_Internal;

application [ junos-http junos-https http-8080 ];

}

then {

permit;

}

}

policy permit_icmp_in {

match {

source-address any;

destination-address any;

application junos-icmp-all;

}

then {

permit;

}

}

}

from-zone LAN to-zone LAN {

   policy LAN-to-LAN {

match {

source-address any;

destination-address any;

application any;

}

then {

permit;

}

}

}

from-zone WAN to-zone junos-host {

policy Allow-Management {

match {

source-address XFERNET;

destination-address LOCALHOST;

application [ junos-ssh junos-http junos-https
junos-icmp-all ];

}

then {

   permit;

log {

session-close;

}

}

}

policy Deny-All-Else {

match {

source-address any;

destination-address any;

application any;

}

then {

deny;

log {

session-init;

}

}

}

}

}

zones {

security-zone LAN {

host-inbound-traffic {

system-services {

all;

}

protocols {

all;

}

}

interfaces {

ae1.0 {

host-inbound-traffic {

system-services {

all;

}

pr

Re: [j-nsp] SRX Deployment Questions

2016-08-22 Thread Payam Chychi 
Check your load balancing hash, normally this is by default set to hash
based on layer3/4 dst info, this means that if you are sending all traffic
from one src to the same dst ip/port, it will only hash and bind to one
interface.



On Wednesday, 17 August 2016, Jeffrey Nikoletich  wrote:

> Hello,
>
> We have a SRX we are deploying and are having some issues and some
> guidance would be great. We have a SRX 3600 and want to deploy in the
> following manner:
>
> It is connected via 2 Dell S55 External switches. 1 10G drop per switch.
> We will call that subnet 1.1.1.0/24.
>
> On the Internal side. It is connected to 6 x Dell S55 switches. 1 10G drop
> per switch. We will call that 10.0.0.0/24.
>
> For the internal, I setup a AE interface that has all 6 x 10G ports in it.
> External has an AE interface as well. External is AE0 and internal is AE1.
>
> The issue I am have was it seems that the AE interfaces were only passing
> traffic via a single interface? Any reason why?
>
> Also does this setup look "sane" just wanted some feedback as this is our
> first SRX deployment.
>
> Thanks in advance.
>
> Regards,
>
> Jeffrey Nikoletich - Chief Information Officer | 213-201-6080
>
> Xfernet
>  | 1-855-XFERNETPh  213-201-6080 | http://www.xfernet.net
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net 
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>


-- 
Payam Tarverdyan Chychi
Network Security Specialist / Network Engineer
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] SRX Deployment Questions

2016-08-22 Thread Niall Donaghy 
The fact that only one interface in the LAG is being used may be to do with
the load-balancing hashing algorithm.
How many SRC and DST IP and port combinations have you with your test
traffic?
If pinging from the same SRC to the same DST each time, perhaps it's
predictably hashing the packets to the same link each time.

Kind regards,
Niall

> -Original Message-
> From: juniper-nsp [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf
Of
> Wayne Lee via juniper-nsp
> Sent: 21 August 2016 12:36
> To: Jeffrey Nikoletich
> Cc: juniper-nsp@puck.nether.net
> Subject: Re: [j-nsp] SRX Deployment Questions
> 
> Can you share the interface config and are the switches configured for
LACP ?
> 
> 
> 
> 
> 
> 
> On 17 August 2016 at 23:19, Jeffrey Nikoletich  wrote:
> 
> > Hello,
> >
> > We have a SRX we are deploying and are having some issues and some
> > guidance would be great. We have a SRX 3600 and want to deploy in the
> > following manner:
> >
> > It is connected via 2 Dell S55 External switches. 1 10G drop per switch.
> > We will call that subnet 1.1.1.0/24.
> >
> > On the Internal side. It is connected to 6 x Dell S55 switches. 1 10G
> > drop per switch. We will call that 10.0.0.0/24.
> >
> > For the internal, I setup a AE interface that has all 6 x 10G ports in
it.
> > External has an AE interface as well. External is AE0 and internal is
AE1.
> >
> > The issue I am have was it seems that the AE interfaces were only
> > passing traffic via a single interface? Any reason why?
> >
> > Also does this setup look "sane" just wanted some feedback as this is
> > our first SRX deployment.
> >
> > Thanks in advance.
> >
> > Regards,
> >
> > Jeffrey Nikoletich - Chief Information Officer | 213-201-6080
> >
> > Xfernet
> >  | 1-855-XFERNETPh  213-201-6080 | http://www.xfernet.net
> > ___
> > juniper-nsp mailing list juniper-nsp@puck.nether.net
> > https://puck.nether.net/mailman/listinfo/juniper-nsp
> >
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] SRX Deployment Questions

2016-08-21 Thread Wayne Lee via juniper-nsp 
Can you share the interface config and are the switches configured for LACP
?






On 17 August 2016 at 23:19, Jeffrey Nikoletich  wrote:

> Hello,
>
> We have a SRX we are deploying and are having some issues and some
> guidance would be great. We have a SRX 3600 and want to deploy in the
> following manner:
>
> It is connected via 2 Dell S55 External switches. 1 10G drop per switch.
> We will call that subnet 1.1.1.0/24.
>
> On the Internal side. It is connected to 6 x Dell S55 switches. 1 10G drop
> per switch. We will call that 10.0.0.0/24.
>
> For the internal, I setup a AE interface that has all 6 x 10G ports in it.
> External has an AE interface as well. External is AE0 and internal is AE1.
>
> The issue I am have was it seems that the AE interfaces were only passing
> traffic via a single interface? Any reason why?
>
> Also does this setup look "sane" just wanted some feedback as this is our
> first SRX deployment.
>
> Thanks in advance.
>
> Regards,
>
> Jeffrey Nikoletich - Chief Information Officer | 213-201-6080
>
> Xfernet
>  | 1-855-XFERNETPh  213-201-6080 | http://www.xfernet.net
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] SRX Deployment Questions

2016-08-17 Thread Jeffrey Nikoletich 
Hello,

We have a SRX we are deploying and are having some issues and some
guidance would be great. We have a SRX 3600 and want to deploy in the
following manner:

It is connected via 2 Dell S55 External switches. 1 10G drop per switch.
We will call that subnet 1.1.1.0/24.

On the Internal side. It is connected to 6 x Dell S55 switches. 1 10G drop
per switch. We will call that 10.0.0.0/24.

For the internal, I setup a AE interface that has all 6 x 10G ports in it.
External has an AE interface as well. External is AE0 and internal is AE1.

The issue I am have was it seems that the AE interfaces were only passing
traffic via a single interface? Any reason why?

Also does this setup look "sane" just wanted some feedback as this is our
first SRX deployment.

Thanks in advance.

Regards,

Jeffrey Nikoletich - Chief Information Officer | 213-201-6080

Xfernet
 | 1-855-XFERNETPh  213-201-6080 | http://www.xfernet.net
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp