SRX

 View Only
last person joined: 12 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
Expand all | Collapse all

Dynamic VPN Slow Speed into LAN

  • 1.  Dynamic VPN Slow Speed into LAN

    Posted 07-03-2020 06:12

    I've been using the dynamic VPN feature on my SRX a lot, but more for surfing the internet and less for accessing internal resources. I needed to transfer a 20GB file to my Synology and noticed it was only transferring between 2 and 4Mbps. When using the VPN to browse the internet, split tunneling is not used and all traffic travels back to the SRX and then is NAT'd and sent out the untrusted-zone. I can max out the connection speed when doing a speedtest.net test, but cannot get higher than 4Mbps when doing an iperf3 test end-to-end. Originally, I thought this was due to packet fragmentation so I lowered the TCP mss using "set security flow tcp-mss ipsec-vpn mss 1200" and that made no difference. When I'm home and inside the LAN, without the VPN enabled of course, iperf3 speeds on WiFi are a little over 600Mbps, which is great. I've removed the policer PROTECT-RE, but no change. Maybe I'm overlooking something, but I cannot understand why I'm seeing slow speeds when connected over VPN.

     

    Model: SRX300
    Junos: 18.4R3-S2
    Configurations: HERE

    JUNOS Software Release [18.4R3-S2]

    SRX WAN: 1Gbps UP/DOWN

     

    Remote Device: HP Laptop
    OS: Windows 10 Home
    WAN: 500Mbps UP/DOWN
    Wireless Speed: 300Mbps UP/DOWN



  • 2.  RE: Dynamic VPN Slow Speed into LAN

    Posted 07-06-2020 00:33

    Hello,

     

    Please correct me if I'm wrong.

     

    1. You are trying to transfer a file to your Internal server behind the SRX via Dynamic VPN and you are facing slowness.
    2. Your normal Internet traffic is going via SRX, getting translated and then exiting out and you are not facing any slowness.

    Unfortunately, I'm unable to view/download the configuration so, could you please lower the encryption level used in the Dynamic VPN and try once? If it's already lower, please ignore this suggestion.

     

    I checked the Data Sheet of SRX300 and it looks like the IPSec throughput for IMIX traffic is 100 Mbps but it is tested with UDP traffic and not TCP.

     

    Besides, could you check whether High RE CPU, High PFE CPU are observed while transferring the data? Also, let me know how many VPNs are currently configured on this SRX.

     

    user@host> show chassis routing-engine

    user@host> show security monitoring performance spu



  • 3.  RE: Dynamic VPN Slow Speed into LAN

    Posted 07-07-2020 19:59

    Hi,

     

    You're correct on both of your statements.  I did attach the configurations in the orginial post, but as a hyperlink.  My configurations can be found by visiting https://pastebin.com/bmKjdc1S.  I've configured the dynamic VPN using https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-dynamic-vpns-with-pulse-secure-clients.html and when connected I see AES-128/SHA1.  When transfering a file, I do not see any messages stating high utilization.  I know the message you're speaking of, because I see it early in the morning when sending backups to my Google Drive.  My configuration allows one dynamic VPN user.  Thanks for your reply!



  • 4.  RE: Dynamic VPN Slow Speed into LAN

    Posted 07-08-2020 00:03

    Hello,

     

    If it is showing AES-128/SHA1 then you are using proposal-set with standard option. So, for the purpose of testing is it possible to make the below change?

     

    set security ike policy ike-dyn-vpn-policy proposal-set basic
    set security ipsec policy ipsec-dyn-vpn-policy proposal-set basic

    This change is only for the purpose of testing. If the issue persists even after making this change, then rollback to previous one.

     

    basic—Includes a basic set of two IKE proposals:

    • Proposal 1—Preshared key, Data Encryption Standard (DES) encryption, and Diffie-Hellman (DH) group 1 and Secure Hash Algorithm 1 (SHA-1) authentication.

    • Proposal 2—Preshared key, DES encryption, and DH group 1 and Message Digest 5 (MD5) authentication.



  • 5.  RE: Dynamic VPN Slow Speed into LAN

    Posted 07-08-2020 05:02

    Hi,

     

    I tried your suggested change, but it had no positive impact. I failed to mention something that may be important.  The speed is only slow when transfering a file to the server.  When downloading a file from the server to the client, the speed is roughly 160Mbps, which is more than acceptable.  

     

    Juniper-SRX300> show security ipsec security-associations
    Total active tunnels: 1 Total Ipsec sas: 1
    ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway
    <67108868 ESP:des/sha1 666c2613 3398/ 483950 - root 13858 *REMOVED*
    >67108868 ESP:des/sha1 529d6757 3398/ 483950 - root 13858 *REMOVED*



  • 6.  RE: Dynamic VPN Slow Speed into LAN

    Posted 07-08-2020 19:58

    Hi,

     

    Thank you for the input.

     

    1. Can you please try the recommended Pulse secure version from the following article - https://kb.juniper.net/InfoCenter/index?page=content&id=TSB17441&act=login
    2. Even after installing the above Pulse version if you face the slowness, please collect the below command outputs while transferring the files to the server.
      • user@host> show security flow session summary
      • user@host> show chassis routing-engine
      • user@host> show security monitoring performance spu
      • user@host> show security monitoring performance session
      • user@host> show interfaces <wan-interface> extensive
      • user@host> request pfe execute target fwdd command "show arena"


  • 7.  RE: Dynamic VPN Slow Speed into LAN

    Posted 07-09-2020 05:04

    I will perform these commands tomorrow and post the outputs.



  • 8.  RE: Dynamic VPN Slow Speed into LAN

    Posted 07-10-2020 05:45

    I'm running the current recommended version 9.1.2 (1149).  Please see below the requested command outputs below.

     

    Juniper-SRX300> show chassis routing-engine 
    Routing Engine status:
        Temperature                 39 degrees C / 102 degrees F
        CPU temperature             53 degrees C / 127 degrees F
        Total memory              4096 MB Max  1188 MB used ( 29 percent)
          Control plane memory    2400 MB Max   792 MB used ( 33 percent)
          Data plane memory       1696 MB Max   390 MB used ( 23 percent)
        5 sec CPU utilization:
          User                      12 percent
          Background                 0 percent
          Kernel                     6 percent
          Interrupt                  0 percent
          Idle                      83 percent
        Model                          RE-SRX300
        Serial ID                      CV4117AF1129
        Start time                     2020-07-02 23:18:37 CDT                                        
        Uptime                         7 days, 8 hours, 21 minutes, 34 seconds
        Last reboot reason             0x200:normal shutdown
        Load averages:                 1 minute   5 minute  15 minute
                                           0.30       0.25       0.18
    
    Juniper-SRX300> show security monitoring performance spu 
    fpc  0  pic  0
    Last 60 seconds:
      0:    1    1:   1    2:    1    3:    1    4:    1    5:    1
      6:    2    7:   2    8:    2    9:    1   10:    1   11:    1
     12:    1   13:   2   14:    2   15:    3   16:    2   17:    1
     18:    1   19:   1   20:    1   21:    1   22:    1   23:    3
     24:    2   25:   1   26:    1   27:    2   28:    1   29:    1
     30:    1   31:   1   32:    1   33:    1   34:    2   35:    2
     36:    2   37:   1   38:    1   39:    1   40:    1   41:    1
     42:    2   43:   1   44:    1   45:    2   46:    2   47:    2
     48:    1   49:   1   50:    1   51:    2   52:    2   53:    2
     54:    1   55:   1   56:    1   57:    1   58:    2   59:    2
    
    Juniper-SRX300> show security monitoring performance session 
    fpc  0  pic  0
    Last 60 seconds:
     0:     288   1:     275   2:     273   3:     270   4:     273   5:     271
     6:     271   7:     267   8:     274   9:     273  10:     275  11:     271
    12:     274  13:     272  14:     273  15:     266  16:     268  17:     279
    18:     278  19:     283  20:     280  21:     277  22:     268  23:     275
    24:     275  25:     278  26:     271  27:     275  28:     274  29:     277
    30:     271  31:     274  32:     277  33:     275  34:     274  35:     270
    36:     280  37:     279  38:     277  39:     271  40:     273  41:     270
    42:     276  43:     274  44:     276  45:     277  46:     275  47:     278
    48:     275  49:     275  50:     273  51:     278  52:     273  53:     272
    54:     264  55:     272  56:     271  57:     271  58:     268  59:     280
    
    Juniper-SRX300> show interfaces ge-0/0/0 extensive 
    Physical interface: ge-0/0/0, Enabled, Physical link is Up
      Interface index: 139, SNMP ifIndex: 511, Generation: 142
      Description: To AT&T Gateway
      Link-level type: Ethernet, MTU: 1514, LAN-PHY mode, Link-mode: Full-duplex, Speed: 1000mbps, BPDU Error: None, Loop Detect PDU Error: None, Ethernet-Switching Error: None,
      MAC-REWRITE Error: None, Loopback: Disabled, Source filtering: Disabled, Flow control: Disabled, Auto-negotiation: Enabled, Remote fault: Online
      Device flags   : Present Running
      Interface flags: SNMP-Traps Internal: 0x0
      Link flags     : None
      CoS queues     : 8 supported, 8 maximum usable queues
      Hold-times     : Up 0 ms, Down 0 ms
      Current address: d0:07:ca:62:45:80, Hardware address: d0:07:ca:62:45:80
      Last flapped   : 2020-07-02 23:25:33 CDT (1w0d 08:15 ago)
      Statistics last cleared: 2020-07-10 07:38:27 CDT (00:02:17 ago)
      Traffic statistics:
       Input  bytes  :             71259535              2461032 bps
       Output bytes  :            112765779               184704 bps
       Input  packets:                63135                  260 pps
       Output packets:               100385                  210 pps
      Dropped traffic statistics due to STP State:
       Input  bytes  :                    0
       Output bytes  :                    0
       Input  packets:                    0
       Output packets:                    0
      Input errors:
        Errors: 0, Drops: 0, Framing errors: 0, Runts: 0, Policed discards: 274, L3 incompletes: 0, L2 channel errors: 0, L2 mismatch timeouts: 0, FIFO errors: 0,
        Resource errors: 0
      Output errors:
        Carrier transitions: 0, Errors: 0, Drops: 0, Collisions: 0, Aged packets: 0, FIFO errors: 0, HS link CRC errors: 0, MTU errors: 0, Resource errors: 0
      Egress queues: 8 supported, 4 in use
      Queue counters:       Queued packets  Transmitted packets      Dropped packets
                                           
        0                            99406                99406                    0
        1                                0                    0                    0
        2                                0                    0                    0
        3                              206                  206                    0
      Queue number:         Mapped forwarding classes
        0                   best-effort
        1                   expedited-forwarding
        2                   assured-forwarding
        3                   network-control
      Active alarms  : None
      Active defects : None
      PCS statistics                      Seconds
        Bit errors                             0
        Errored blocks                         0
      Ethernet FEC statistics              Errors
        FEC Corrected Errors                    0
        FEC Uncorrected Errors                  0
        FEC Corrected Errors Rate               0
        FEC Uncorrected Errors Rate             0
      MAC statistics:                      Receive         Transmit
        Total octets                      72164055        114458150
        Total packets                        63220           100093
        Unicast packets                      62542           100093
        Broadcast packets                      531                0
        Multicast packets                      147                0
        CRC/Align errors                         0                0
        FIFO errors                              0                0
        MAC control frames                       0                0
        MAC pause frames                         0                0
        Oversized frames                         0                                   
        Jabber frames                            0
        Fragment frames                          0
        VLAN tagged frames                       0
        Code violations                          0
      Filter statistics:
        Input packet count                       0
        Input packet rejects                     0
        Input DA rejects                         0
        Input SA rejects                         0
        Output packet count                                       0
        Output packet pad count                                   0
        Output packet error count                                 0
        CAM destination filters: 2, CAM source filters: 0
      Autonegotiation information:
        Negotiation status: Complete                                    
        Link partner:
            Link mode: Full-duplex, Flow control: None, Remote fault: OK
        Local resolution:
            Flow control: None, Remote fault: Link OK
      Packet Forwarding Engine configuration:
        Destination slot: 0
      CoS information:
        Direction : Output
        CoS transmit queue               Bandwidth               Buffer Priority   Limit
                                  %            bps     %           usec
        0 best-effort            95      950000000    95              0      low    none
        3 network-control         5       50000000     5              0      low    none
      Interface transmit statistics: Disabled
      MACSec statistics:                                    
        Output
            Secure Channel Transmitted
            Protected Packets               : 0
            Encrypted Packets               : 0
            Protected Bytes                 : 0
            Encrypted Bytes                 : 0
         Input
            Secure Channel Received
            Accepted Packets                : 0
            Validated Bytes                 : 0
            Decrypted Bytes                 : 0
    
      Logical interface ge-0/0/0.0 (Index 79) (SNMP ifIndex 514) (Generation 144)
        Flags: Up SNMP-Traps 0x0 Encapsulation: ENET2
        Traffic statistics:                                   
         Input  bytes  :             71259835
         Output bytes  :            112764255
         Input  packets:                63142
         Output packets:               100399
        Local statistics:
         Input  bytes  :                30903
         Output bytes  :                16665
         Input  packets:                  493
         Output packets:                  119
        Transit statistics:
         Input  bytes  :             71228932              2457928 bps
         Output bytes  :            112747590               182064 bps
         Input  packets:                62649                  256 pps
         Output packets:               100280                  208 pps
        Security: Zone: untrust                                    
        Allowed host-inbound traffic : dhcp https ike
        Flow Statistics :  
        Flow Input statistics :
          Self packets :                     95
          ICMP packets :                     24
          VPN packets :                      59238
          Multicast packets :                4
          Bytes permitted by policy :        68680921
          Connections established :          579 
        Flow Output statistics: 
          Multicast packets :                0
          Bytes permitted by policy :        110145732 
        Flow error statistics (Packets dropped due to): 
          Address spoofing:                  0
          Authentication failed:             0                                  
          Incoming NAT errors:               0
          Invalid zone received packet:      0
          Multiple user authentications:     0 
          Multiple incoming NAT:             0
          No parent for a gate:              0
          No one interested in self packets: 0       
          No minor session:                  0 
          No more sessions:                  0
          No NAT gate:                       0 
          No route present:                  4 
          No SA for incoming SPI:            0 
          No tunnel found:                   0
          No session for a gate:             0 
          No zone or NULL zone binding       0
          Policy denied:                     0                                  
          Security association not active:   0 
          TCP sequence number out of window: 0
          Syn-attack protection:             0
          User authentication errors:        0
        Protocol inet, MTU: 1500
        Max nh cache: 100000, New hold nh limit: 100000, Curr nh cnt: 1, Curr new hold cnt: 0, NH drop cnt: 0
        Generation: 157, Route table: 0
          Flags: Sendbcast-pkt-to-re
          Input Filters: BLOCKED-IPs
          Addresses, Flags: Is-Preferred Is-Primary
            Destination: REMOVED/22, Local: REMOVED, Broadcast: REMOVED, Generation: 158
    
    Juniper-SRX300> request pfe execute target fwdd command "show arena" 
    ================ master ================
    SENT: Ukern command: show arena
    
    ID        Base      Total(b)       Free(b)       Used(b)   %   Name
    --  ----------  ------------  ------------  ------------  ---  ----
     0    6433bc00     130023420          7216     130016204   99  jsf shm arena
     1    6433bfa8       2088956       2017672         71284    3  global cntl SHM
     2    64539fc0     127926268      56641968      71284300   55  global data SHM
     3    64552e88        262140        259488          2652    1  Services control arena
     4     b8d49d0       2097148       2096224           924    0  IDP Arena
     5     c447300      67108860      52491592      14617268   21  jdpi arena

     



  • 9.  RE: Dynamic VPN Slow Speed into LAN

    Posted 07-10-2020 07:37

    Could it be that the upload speed of your Internet connection (where you VPNing from) is slow?

     

    When your VPNed to your home SRX and download a file from the server, the direction of  traffic is from your home to your location so the upload speed of your Internet connection (at home) and download speed of your location are what matters

     

    (you somewhere with VPN) <=======[the Internet]<========== (your SRX)<==========(your fileserver)

    As you can see, the upload speed of your home Internet and download speed of your current location are important

     

    Now if you reverse the scenario where you are uploading file to your home server

    (you somewhere with VPN) =======>[the Internet]==========>(your SRX)==========>(your fileserver)

     

    In this case, it's your upload speed from where you're VPNed that matters most, including the download speed of your home Internet.

     

    Most ISPs provide asynchronous Internet speed with great download speed but terrible upload speed. Your home Internet happens to be the exception since you can download file quite fast even when VPNed



  • 10.  RE: Dynamic VPN Slow Speed into LAN

    Posted 07-10-2020 10:06

    Hzrnbgy - No.  The upload speed is 500Mbps where I'm VPNing from.  Good question though!



  • 11.  RE: Dynamic VPN Slow Speed into LAN
    Best Answer

    Posted 07-10-2020 08:27

    Hi,

     

    Everything seems fine with the SRX. No High RE CPU, No High PFE CPU, Session creation is way low, Memory utilization is normal.

     

    Only thing I can see is policed discards and you already said that you have removed it. Just make sure it doesn't increment.

     

    Apart from this, I can't think about anything that can actually cause slowness in SRX.

     



  • 12.  RE: Dynamic VPN Slow Speed into LAN

    Posted 07-10-2020 10:10

    Hi.

     

    I've tried uploading files to my server using FTP, SMB and NFS.  The upload speed never changes.  I'm working on procuring another machine to test with.  The first link provided doesn't appear to be for me, because I'm not having an issue upgrading from an older PulseSecure verision to the latest 9.1R2 build 1149.  I've reviewed the other link and I did try solution two, but it didn't make a diference.  



  • 13.  RE: Dynamic VPN Slow Speed into LAN

    Posted 07-10-2020 10:55

    Hi,

     

    Thank you for reverting.

     

    Actually, the first link is applicable to everyone who is using Pulse Secure version 9.1R2 build 1149. This build contains the fix which was addressed in the following TSB17441.

     

    However, the users might still face an issue post upgrading to the latest pulse version and the first link is about fixing those issue. So, I would say it's worth trying.



  • 14.  RE: Dynamic VPN Slow Speed into LAN

    Posted 07-10-2020 11:46

    Thanks for your quick reply.  I read the article again and can confirm the verison at both locations on my machine are the same.



  • 15.  RE: Dynamic VPN Slow Speed into LAN

    Posted 07-10-2020 12:13

    Hi,

     

    I think I haven't made myself clear in the previous reply.

     

    Please be informed that even though you are in the latest version of the Pulse in Windows 10 at both the locations, the issue mentioned in the following KB article may occur - https://kb.juniper.net/InfoCenter/index?page=content&id=KB35342&actp=METADATA

     

    I'm not saying that your current issue and the issue mentioned the KB article is similar but I think it would be great if you could carry out those steps in order to rule out this possibility. But it's up to you



  • 16.  RE: Dynamic VPN Slow Speed into LAN

    Posted 07-10-2020 12:39

    I replied before your post and stated both of my versions are the same.  If I'm reading the KB article correctly, if both file locations have the same version number of 9.1.0.1, which mine do, there is nothing for me to do.  Both of my versions are correct.  Maybe I'm not understanding the article correctly?

     

    A. If the driver files are reporting as follows in both locations, then perform the steps below to correct the problem.

       Incorrect version    in "C:\windows\system32\drivers" ---> Correct version for me
       Correct version  in  "C:\Program Files (x86)\Common Files\Juniper Networks\JNPRNA\Drivers\jnprns\" ---> Correct version for me

     

     



  • 17.  RE: Dynamic VPN Slow Speed into LAN

    Posted 07-10-2020 13:09

    Hello,

     

    Actually, I have interpreted your answer incorrectly. Now I understand what you meant.

     

    Thanks for the elaborate answer.



  • 18.  RE: Dynamic VPN Slow Speed into LAN

    Posted 07-11-2020 20:11

    I'm marking this solved, but it's some what not.  I installed an early copy of Windows 10 in VMware Workstation on the same machine that is having slow upload speeds and the VPN upload speed on the early copy of Windows 10 was over 10Mbps.  There appears to be an issue with a Windows update that was installed recently on my physical Windows 10 machine.  This is not an issue with the Juniper SRX300 or my configurations.  Thanks for the help!