SRX

 View Only
last person joined: 20 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  IPsec tunnel bandwidth issue

    Posted 03-09-2011 08:49

    Hi guys,

    having a weird issue here. Have a remote site with an internet connection of 100m and run an IPsec tunnel through this from the SRX240.

     

    Users are complaining about poor response times to internal resources which traverse the IPsec tunnel and I have confirmed this using iperf....approx 45kbs

     

    But when users do a bandwidth test on www.speedtest.net they see bandwidths of approx 65mbs downlod and upload.

     

    Is there any configuration on the IPsec tunnel that I might be missing that is restricting it's bandwidth?

     

    Thanks,

     

    Paul


    #vpn


  • 2.  RE: IPsec tunnel bandwidth issue

    Posted 03-09-2011 09:31

    More info:

     

    the SRX240 connects to the internet on reth1:

     

    reth1 show an MTU of 1500.

     

    the tunnel st0 and st0.0 show an mtu of 9192.

     

    Could this be an issue?

     

    Paul



  • 3.  RE: IPsec tunnel bandwidth issue

    Posted 03-09-2011 10:07

    Juniper docs recommend:

     

    set security flow tcp-mss ipsec-vpn mss 1350

     

    Give that a try on both sides!



  • 4.  RE: IPsec tunnel bandwidth issue

    Posted 03-10-2011 03:33

    OK thanks for the sduggestions will try that today.

     

    On the SSG side we're seeing TearDrop Attack logs coming from the IPsec tunnel.....could this be due to the fragmentation?

     

    Paul



  • 5.  RE: IPsec tunnel bandwidth issue
    Best Answer

    Posted 03-10-2011 04:55

    Yes the teardrop attacks are due to the fragmentation.  Once you are set to 1350 on both sides, those should go away, I have seen that happen before!

     

    Take a look at this doc:

     

    http://kb.juniper.net/kb/documents/public/junos/jsrx/JSeries_SRXSeries_Route-based_VPN_to_ScreenOS_v13.pdf

     

     



  • 6.  RE: IPsec tunnel bandwidth issue

    Posted 03-10-2011 06:22

    Hi there again,

    that seems to have improved things a bit, however from a "show log kmd" we're seeing this error repeatedly;

     

    Mar  9 17:46:43 KMD_INTERNAL_ERROR: iked_del_ha_blob: Error deleting blob with type = phase1, tunnel id d57aa812.  Error: No such file or directory

     

    Any ideas what this means?

     

    Paul



  • 7.  RE: IPsec tunnel bandwidth issue

    Posted 03-11-2011 05:24

    I don't see that error in any of the dozen SRX tunnels I have setup across various platforms/junos releases.  Somebody else will have to chime in, or post relavant config snips!



  • 8.  RE: IPsec tunnel bandwidth issue

    Posted 03-11-2011 06:17

    Before looking further into that error, I'd make sure you're on a stable version of code. Which right now appears to be 10.2r3, with 10.3r3 a possible contender.

     



  • 9.  RE: IPsec tunnel bandwidth issue

    Posted 04-14-2011 02:30

    Hi all,

     

    i'm having the same issue on a HA cluster SRX210b series

     

    Someone's got fixed?

     

    Thanks

     

    Sergio



  • 10.  RE: IPsec tunnel bandwidth issue

    Posted 04-14-2011 02:57

    I forgot to say the Junos version that is 10.2R3.10

     

    We have already tried to delete all ike and ipsec config, restarted ipsec-key-management, committed, reconfigured the vpn but same error on kmd log and no ike secuirty association.

     

    Thanks

     

     

    Sergio