SRX

 View Only
last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  SRX 240 great amount of icpm

    Posted 02-12-2019 04:18

    Hello, forum! Help me plese find a source of icmp flood that use a lot of CPU. Count of flow sessions or traffic on interfaces without changes. First topic with diagnostic https://forums.juniper.net/t5/SRX-Services-Gateway/SRX-240-CPU-THRESHOLD-EXCEEDED/m-p/458653#M52327 

     

    show pfe statistics ip icmp | refresh 20
    ---(refreshed at 2019-02-12 16:05:28 MSK)---
    ICMP Statistics:
    3347958 requests
    0 network unreachables
    52826 ttl expired
    0 ttl captured
    1873 redirects
    9 mtu exceeded
    0 icmp/option handoffs

    ICMP Errors:
    0 unknown unreachables
    0 unsupported ICMP type
    0 unprocessed redirects
    0 invalid ICMP type
    0 invalid protocol
    0 bad input interface
    3293250 throttled icmps
    0 runts

    ICMP Discards:
    0 multicasts
    0 bad source addresses
    0 bad dest addresses
    0 IP fragments
    0 ICMP errors
    ---(refreshed at 2019-02-12 16:05:48 MSK)---
    ICMP Statistics:
    3392791 requests
    0 network unreachables
    53530 ttl expired
    0 ttl captured
    1897 redirects
    9 mtu exceeded
    0 icmp/option handoffs

    ICMP Errors:
    0 unknown unreachables
    0 unsupported ICMP type
    0 unprocessed redirects
    0 invalid ICMP type
    0 invalid protocol
    0 bad input interface
    3337355 throttled icmps
    0 runts

    ICMP Discards:
    0 multicasts
    0 bad source addresses
    0 bad dest addresses
    0 IP fragments
    0 ICMP errors
    ---(refreshed at 2019-02-12 16:06:08 MSK)---
    ICMP Statistics:
    3437591 requests
    0 network unreachables
    54237 ttl expired
    0 ttl captured
    1921 redirects
    9 mtu exceeded
    0 icmp/option handoffs

    ICMP Errors:
    0 unknown unreachables
    0 unsupported ICMP type
    0 unprocessed redirects
    0 invalid ICMP type
    0 invalid protocol
    0 bad input interface
    3381424 throttled icmps
    0 runts

    ICMP Discards:
    0 multicasts
    0 bad source addresses
    0 bad dest addresses
    0 IP fragments
    0 ICMP errors
    ---(*more 100%)---[abort]



  • 2.  RE: SRX 240 great amount of icpm
    Best Answer

    Posted 02-12-2019 05:30

    You may apply firewall filter to identify the IPs which are sending icmp packets to the SRX or do external packet captures

    set firewall family inet filter ICMP term 1 from protocol icmp
    set firewall family inet filter ICMP term 1 then count ICMP
    set firewall family inet filter ICMP term 1 then syslog
    set firewall family inet filter ICMP term 1 then accept
    set firewall family inet filter ICMP term 2 then accept

    set system syslog file ICMP firewall any
    set interfaces lo0.0 family inet filter input ICMP

    Check the counter for hit count and syslog file for the IPs. Once the IPs are identified rollback the configuration.
    show firewall filter ICMP
    show log ICMP