SRX

Β View Only
last person joined: 19 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  Performance degradation

    Posted 03-22-2021 11:40

    Hi, everyone

    I have srx240 in cluster mode with two ipsec tunnels, filter-based forwarding, some stateless firewall rules, three vlans, a few zones and policies. Nothing resource intensive i think.

    Everything was fine, but today I was bombarded with messages like this

    RT_FLOW: FLOW_REASSEMBLE_SUCCEED: Packet merged source <here public ip of my ipsec endpoint> destination <public ip of srx240>  ipid 42988 succeed

    The speed of the Internet and via ipsec tunnels dropped. Traceroute from local network shows 50-60% losses on SRX240.

    Here is the output of the chassis metrics

    {primary:node0}[edit]
    # run show chassis routing-engine    
    node0:
    --------------------------------------------------------------------------
    Routing Engine status:
        Temperature                 41 degrees C / 105 degrees F
        CPU temperature             39 degrees C / 102 degrees F
        Total memory              1024 MB Max   727 MB used ( 71 percent)
          Control plane memory     544 MB Max   403 MB used ( 74 percent)
          Data plane memory        480 MB Max   326 MB used ( 68 percent)
        CPU utilization:
          User                      14 percent
          Background                 0 percent
          Kernel                    26 percent
          Interrupt                  0 percent
          Idle                      60 percent
        Model                          RE-SRX240H
        Serial ID                      AABP9504
        Start time                     2021-03-22 14:03:39 UTC
        Uptime                         1 hour, 13 minutes, 13 seconds
        Last reboot reason             0x20:power-button soft power off
        Load averages:                 1 minute   5 minute  15 minute
                                           0.64       0.75       0.73
    
    {primary:node0}[edit]
    # run show chassis forwarding        
    node0:
    --------------------------------------------------------------------------
    FWDD status:
      State                                 Online    
      Microkernel CPU utilization        13 percent
      Real-time threads CPU utilization  11 percent
      Heap utilization                   68 percent
      Buffer utilization                  1 percent
      Uptime:                               1 hour, 10 minutes, 49 seconds
    


    Security flow settings

    # show security flow                              
    tcp-mss {
        ipsec-vpn {
            mss 1350;
        }
    }
    tcp-session {
        no-sequence-check;
    }
    


    Can someone tell me where to dig in this situation?

    Thanks.



  • 2.  RE: Performance degradation

    Posted 04-02-2021 13:35
    Hello, 

    The log "RT_FLOW: FLOW_REASSEMBLE_SUCCEED" indicates that the packet fragments have been reassembled at the SRX. I would suggest you to check whether PFE High CPU is seen due to which you are facing sluggish performance. 

    Also, I don't understand the part where you mentioned "Packet merged source <here public ip of my ipsec endpoint> destination <public ip of srx240>" - Do you mean both the Source IP and the Destination IP are the SRX's interface IP? or the Source IP is the st0 IP?

    ------------------------------
    ***𝑫𝒐 π’Žπ’‚π’“π’Œ π’•π’‰π’Šπ’” π’‚π’π’”π’˜π’†π’“ 𝒂𝒔 𝑺𝒐𝒍𝒗𝒆𝒅, π’Šπ’‡ π’Šπ’• 𝒂𝒅𝒅𝒓𝒆𝒔𝒔𝒆𝒔 π’šπ’π’–π’“ π’Šπ’”π’”π’–π’†***

    π•½π–Šπ–Œπ–†π–—π–‰π–˜,
    𝖓𝖔𝖔𝖇 π–’π–†π–˜π–™π–Šπ–—.
    ------------------------------