SRX

We have a customer with two SRX100H2's.  One has been running with no issues for many years and the other is a spare they bought just before the SRX100 became end-of-life.  Both have the last version of JUNOS available 12.3X48-D105.4.

The customer has been on Comcast Business service for several years with 5 static IPs.  They recently moved their office literally across town and Comcast moved their service allowing them to keep the same IPs.  The Comcast Router is connected to the SRX100 and the SRX100 is connected to a managed switch.  The rest of the office network is connected to the switch.

Prior to their move, running an Ookla speed test on any device downstream of the SRX would give Up and Down speeds of 90+ Mbps.  After the move, the same tests give 18 Mbps Down and 93 Mbps Up.   These speeds are consistent  with several devices.  We have run tests from their Servers and a couple of notebooks plugged into the switch and leasing a DHCP address.

We unplugged the Cat5 going into the SRX, plugged it into a notebook, manually configured all 5 static IPs one at a time in the notebook and ran a speed test with each.  The results are 221 Down & 118 Up.

We pulled out the spare SRX, powered it up with a factory default configuration, plugged it into the Comcast Router, plugged a notebook into the SRX and ran the speed test.  Results were 18 Mbps Down & 93 Mbps Up.  Same as the original SRX100.

Then we decided to try a different firewall so we grabbed a used SonicWall TZ270 from another job reset to factory defaults, plugged that into the Comcasr Router, plugged the notebook into it, and ran another test.  Results were 221 Mbps Down & 118 Mbps Up.

Next we called Comcast Business Support and they basically told us to go away.  They said if the SonicWall worked OK, then the problem was with the Juniper hardware and not their network.

So when we connect the SRX100's to the Internet, something is definitely causing them to throttle the connection .  There are no throttling policies of any kind configured in the SRX's. The customer has 3600+ lines in the SRX backup configuration file due to a large number of site-to-site VPNs and policies and with no simple path to upgrade from the SRX100 to the SRX300, they are unwilling to pay for the upgrade at this time.

Anyone have any ideas what would cause a SRX100H2 to throttle its download speed?        

I've seen this happen when auto neg on the link comes up half duplex.  These devices are 100m links and the auto neg is not a full international standard so getting full duplex doesn't always happen between different vendor gear.

Check the link with this operation command for the interface facing the ISP.  This shows correct full duplex, it would say Half-duplex if this is the issue.

show interfaces fe-0/0/0 | match duplex    

Link-level type: Ethernet, MTU: 1514, Link-mode: Full-duplex, Speed: 100mbps,

Set manual 100 full duplex on the specific interface like this.

set interfaces fe-0/0/0 link-mode full-duplex

set interfaces fe-0/0/0 speed 100m    

The ISP may also have to set manual speed and duplex as well depending on the nature of the problem but sometimes only changing one side works.

We have a customer with two SRX100H2's.  One has been running with no issues for many years and the other is a spare they bought just before the SRX100 became end-of-life.  Both have the last version of JUNOS available 12.3X48-D105.4.

The customer has been on Comcast Business service for several years with 5 static IPs.  They recently moved their office literally across town and Comcast moved their service allowing them to keep the same IPs.  The Comcast Router is connected to the SRX100 and the SRX100 is connected to a managed switch.  The rest of the office network is connected to the switch.

Prior to their move, running an Ookla speed test on any device downstream of the SRX would give Up and Down speeds of 90+ Mbps.  After the move, the same tests give 18 Mbps Down and 93 Mbps Up.   These speeds are consistent  with several devices.  We have run tests from their Servers and a couple of notebooks plugged into the switch and leasing a DHCP address.

We unplugged the Cat5 going into the SRX, plugged it into a notebook, manually configured all 5 static IPs one at a time in the notebook and ran a speed test with each.  The results are 221 Down & 118 Up.

We pulled out the spare SRX, powered it up with a factory default configuration, plugged it into the Comcast Router, plugged a notebook into the SRX and ran the speed test.  Results were 18 Mbps Down & 93 Mbps Up.  Same as the original SRX100.

Then we decided to try a different firewall so we grabbed a used SonicWall TZ270 from another job reset to factory defaults, plugged that into the Comcasr Router, plugged the notebook into it, and ran another test.  Results were 221 Mbps Down & 118 Mbps Up.

Next we called Comcast Business Support and they basically told us to go away.  They said if the SonicWall worked OK, then the problem was with the Juniper hardware and not their network.

So when we connect the SRX100's to the Internet, something is definitely causing them to throttle the connection .  There are no throttling policies of any kind configured in the SRX's. The customer has 3600+ lines in the SRX backup configuration file due to a large number of site-to-site VPNs and policies and with no simple path to upgrade from the SRX100 to the SRX300, they are unwilling to pay for the upgrade at this time.

Anyone have any ideas what would cause a SRX100H2 to throttle its download speed?        

Thanks for the response.

Output of: show interfaces fe-0/0/0 | match duplex:

Link-level type: Ethernet, MTU: 1514, Link-mode: Full-duplex, Speed: 100mbps, BPDU Error: None, MAC-REWRITE Error: None, Loopback: Disabled, Source filtering: Disabled, Flow control: Disabled

Would it be appropriate to go back to Comcast and tell them our interface is set for full duplex, 100mbps and have them verify what their router is configured for?

I've seen this happen when auto neg on the link comes up half duplex.  These devices are 100m links and the auto neg is not a full international standard so getting full duplex doesn't always happen between different vendor gear.

Check the link with this operation command for the interface facing the ISP.  This shows correct full duplex, it would say Half-duplex if this is the issue.

show interfaces fe-0/0/0 | match duplex    

Link-level type: Ethernet, MTU: 1514, Link-mode: Full-duplex, Speed: 100mbps,

Set manual 100 full duplex on the specific interface like this.

set interfaces fe-0/0/0 link-mode full-duplex

set interfaces fe-0/0/0 speed 100m    

The ISP may also have to set manual speed and duplex as well depending on the nature of the problem but sometimes only changing one side works.

We have a customer with two SRX100H2's.  One has been running with no issues for many years and the other is a spare they bought just before the SRX100 became end-of-life.  Both have the last version of JUNOS available 12.3X48-D105.4.

The customer has been on Comcast Business service for several years with 5 static IPs.  They recently moved their office literally across town and Comcast moved their service allowing them to keep the same IPs.  The Comcast Router is connected to the SRX100 and the SRX100 is connected to a managed switch.  The rest of the office network is connected to the switch.

Prior to their move, running an Ookla speed test on any device downstream of the SRX would give Up and Down speeds of 90+ Mbps.  After the move, the same tests give 18 Mbps Down and 93 Mbps Up.   These speeds are consistent  with several devices.  We have run tests from their Servers and a couple of notebooks plugged into the switch and leasing a DHCP address.

We unplugged the Cat5 going into the SRX, plugged it into a notebook, manually configured all 5 static IPs one at a time in the notebook and ran a speed test with each.  The results are 221 Down & 118 Up.

We pulled out the spare SRX, powered it up with a factory default configuration, plugged it into the Comcast Router, plugged a notebook into the SRX and ran the speed test.  Results were 18 Mbps Down & 93 Mbps Up.  Same as the original SRX100.

Then we decided to try a different firewall so we grabbed a used SonicWall TZ270 from another job reset to factory defaults, plugged that into the Comcasr Router, plugged the notebook into it, and ran another test.  Results were 221 Mbps Down & 118 Mbps Up.

Next we called Comcast Business Support and they basically told us to go away.  They said if the SonicWall worked OK, then the problem was with the Juniper hardware and not their network.

So when we connect the SRX100's to the Internet, something is definitely causing them to throttle the connection .  There are no throttling policies of any kind configured in the SRX's. The customer has 3600+ lines in the SRX backup configuration file due to a large number of site-to-site VPNs and policies and with no simple path to upgrade from the SRX100 to the SRX300, they are unwilling to pay for the upgrade at this time.

Anyone have any ideas what would cause a SRX100H2 to throttle its download speed?        

The link is showing full duplex so this is not the issue to the ISP.

Can you likewise confirm the link to the testing computer is also full duplex to confirm that is good.

Do you get the same speed results from multiple services?  Just on the low chance there is something in the path to this test site that negatively interacts with the SRX configuration routing.

If all that checks out, there is some kind of interaction in the configuration routing or traffic processing at play.  This is odd since the only change is physical location and not configuration but the evidence says there is something wrong.  Since you have so many tunnels routing processes may be interacting with the internet test in some unusual way.

Thanks for the response.

Output of: show interfaces fe-0/0/0 | match duplex:

Link-level type: Ethernet, MTU: 1514, Link-mode: Full-duplex, Speed: 100mbps, BPDU Error: None, MAC-REWRITE Error: None, Loopback: Disabled, Source filtering: Disabled, Flow control: Disabled

Would it be appropriate to go back to Comcast and tell them our interface is set for full duplex, 100mbps and have them verify what their router is configured for?

I've seen this happen when auto neg on the link comes up half duplex.  These devices are 100m links and the auto neg is not a full international standard so getting full duplex doesn't always happen between different vendor gear.

Check the link with this operation command for the interface facing the ISP.  This shows correct full duplex, it would say Half-duplex if this is the issue.

show interfaces fe-0/0/0 | match duplex    

Link-level type: Ethernet, MTU: 1514, Link-mode: Full-duplex, Speed: 100mbps,

Set manual 100 full duplex on the specific interface like this.

set interfaces fe-0/0/0 link-mode full-duplex

set interfaces fe-0/0/0 speed 100m    

The ISP may also have to set manual speed and duplex as well depending on the nature of the problem but sometimes only changing one side works.

We have a customer with two SRX100H2's.  One has been running with no issues for many years and the other is a spare they bought just before the SRX100 became end-of-life.  Both have the last version of JUNOS available 12.3X48-D105.4.

The customer has been on Comcast Business service for several years with 5 static IPs.  They recently moved their office literally across town and Comcast moved their service allowing them to keep the same IPs.  The Comcast Router is connected to the SRX100 and the SRX100 is connected to a managed switch.  The rest of the office network is connected to the switch.

Prior to their move, running an Ookla speed test on any device downstream of the SRX would give Up and Down speeds of 90+ Mbps.  After the move, the same tests give 18 Mbps Down and 93 Mbps Up.   These speeds are consistent  with several devices.  We have run tests from their Servers and a couple of notebooks plugged into the switch and leasing a DHCP address.

We unplugged the Cat5 going into the SRX, plugged it into a notebook, manually configured all 5 static IPs one at a time in the notebook and ran a speed test with each.  The results are 221 Down & 118 Up.

We pulled out the spare SRX, powered it up with a factory default configuration, plugged it into the Comcast Router, plugged a notebook into the SRX and ran the speed test.  Results were 18 Mbps Down & 93 Mbps Up.  Same as the original SRX100.

Then we decided to try a different firewall so we grabbed a used SonicWall TZ270 from another job reset to factory defaults, plugged that into the Comcasr Router, plugged the notebook into it, and ran another test.  Results were 221 Mbps Down & 118 Mbps Up.

Next we called Comcast Business Support and they basically told us to go away.  They said if the SonicWall worked OK, then the problem was with the Juniper hardware and not their network.

So when we connect the SRX100's to the Internet, something is definitely causing them to throttle the connection .  There are no throttling policies of any kind configured in the SRX's. The customer has 3600+ lines in the SRX backup configuration file due to a large number of site-to-site VPNs and policies and with no simple path to upgrade from the SRX100 to the SRX300, they are unwilling to pay for the upgrade at this time.

Anyone have any ideas what would cause a SRX100H2 to throttle its download speed?        

Both servers report full duplex:
# dmesg | grep -i duplex -> enp0s20f0 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: RX
$ cat /sys/class/net/eno1/duplex -> full

Here is the result from an Ookla test running the first customer server from terminal:

 Speedtest by Ookla

      Server: Comcast - Sacramento, CA (id: 9436)
         ISP: Comcast Business
Idle Latency:    17.98 ms   (jitter: 0.11ms, low: 17.79ms, high: 18.03ms)
    Download:    18.33 Mbps (data used: 24.4 MB)                                                   
                 16.20 ms   (jitter: 14.98ms, low: 9.54ms, high: 267.89ms)
      Upload:    94.04 Mbps (data used: 90.1 MB)                                                   
                 27.52 ms   (jitter: 5.30ms, low: 18.68ms, high: 302.49ms)
Packet Loss:     0.0%

PhoenixNAP has a download test that downloads a 1 GB test file from one of their servers using wget to monitor the speed:

 $ wget -O /dev/null -q --show-progress https://speedash.phoenixnap.com/ash-1gb.test

I ran this test to 3 of their servers scattered across the US and got an average download speed of 4.6 Mbps.

On the second customer server, Ookla returns:

   Speedtest by Ookla

      Server: Comcast - Sacramento, CA (id: 9436)
         ISP: Comcast Business
Idle Latency:    18.12 ms   (jitter: 4.43ms, low: 13.30ms, high: 27.69ms)
    Download:    17.66 Mbps (data used: 32.8 MB)                                                   
                 79.64 ms   (jitter: 50.14ms, low: 10.44ms, high: 322.75ms)
      Upload:    94.09 Mbps (data used: 90.1 MB)                                                   
                 27.43 ms   (jitter: 2.00ms, low: 21.59ms, high: 41.39ms)
 Packet Loss:     0.0%

I ran the same test to the same 3 servers on this box and got an average download speed of 4.3 Mbps.

I remoted into another customer system who also has a 100 Mbps firewall (SSG-5) and ran the same PhoenixNAP test and got 78 Mbps so I don't think it is a PhoenixNAP issue.

I do not belief the configuration size of the SRX100 is an issue because we got exactly the same results from the production SRX100 with extensive configuration and the backup SRX100 out of the box with factory defaults.

The link is showing full duplex so this is not the issue to the ISP.

Can you likewise confirm the link to the testing computer is also full duplex to confirm that is good.

Do you get the same speed results from multiple services?  Just on the low chance there is something in the path to this test site that negatively interacts with the SRX configuration routing.

If all that checks out, there is some kind of interaction in the configuration routing or traffic processing at play.  This is odd since the only change is physical location and not configuration but the evidence says there is something wrong.  Since you have so many tunnels routing processes may be interacting with the internet test in some unusual way.

Thanks for the response.

Output of: show interfaces fe-0/0/0 | match duplex:

Link-level type: Ethernet, MTU: 1514, Link-mode: Full-duplex, Speed: 100mbps, BPDU Error: None, MAC-REWRITE Error: None, Loopback: Disabled, Source filtering: Disabled, Flow control: Disabled

Would it be appropriate to go back to Comcast and tell them our interface is set for full duplex, 100mbps and have them verify what their router is configured for?

I've seen this happen when auto neg on the link comes up half duplex.  These devices are 100m links and the auto neg is not a full international standard so getting full duplex doesn't always happen between different vendor gear.

Check the link with this operation command for the interface facing the ISP.  This shows correct full duplex, it would say Half-duplex if this is the issue.

show interfaces fe-0/0/0 | match duplex    

Link-level type: Ethernet, MTU: 1514, Link-mode: Full-duplex, Speed: 100mbps,

Set manual 100 full duplex on the specific interface like this.

set interfaces fe-0/0/0 link-mode full-duplex

set interfaces fe-0/0/0 speed 100m    

The ISP may also have to set manual speed and duplex as well depending on the nature of the problem but sometimes only changing one side works.

We have a customer with two SRX100H2's.  One has been running with no issues for many years and the other is a spare they bought just before the SRX100 became end-of-life.  Both have the last version of JUNOS available 12.3X48-D105.4.

The customer has been on Comcast Business service for several years with 5 static IPs.  They recently moved their office literally across town and Comcast moved their service allowing them to keep the same IPs.  The Comcast Router is connected to the SRX100 and the SRX100 is connected to a managed switch.  The rest of the office network is connected to the switch.

Prior to their move, running an Ookla speed test on any device downstream of the SRX would give Up and Down speeds of 90+ Mbps.  After the move, the same tests give 18 Mbps Down and 93 Mbps Up.   These speeds are consistent  with several devices.  We have run tests from their Servers and a couple of notebooks plugged into the switch and leasing a DHCP address.

We unplugged the Cat5 going into the SRX, plugged it into a notebook, manually configured all 5 static IPs one at a time in the notebook and ran a speed test with each.  The results are 221 Down & 118 Up.

We pulled out the spare SRX, powered it up with a factory default configuration, plugged it into the Comcast Router, plugged a notebook into the SRX and ran the speed test.  Results were 18 Mbps Down & 93 Mbps Up.  Same as the original SRX100.

Then we decided to try a different firewall so we grabbed a used SonicWall TZ270 from another job reset to factory defaults, plugged that into the Comcasr Router, plugged the notebook into it, and ran another test.  Results were 221 Mbps Down & 118 Mbps Up.

Next we called Comcast Business Support and they basically told us to go away.  They said if the SonicWall worked OK, then the problem was with the Juniper hardware and not their network.

So when we connect the SRX100's to the Internet, something is definitely causing them to throttle the connection .  There are no throttling policies of any kind configured in the SRX's. The customer has 3600+ lines in the SRX backup configuration file due to a large number of site-to-site VPNs and policies and with no simple path to upgrade from the SRX100 to the SRX300, they are unwilling to pay for the upgrade at this time.

Anyone have any ideas what would cause a SRX100H2 to throttle its download speed?        

I missed that the second SRX still had the default configuration.  I had thought you loaded a backup as a hardware check.

This is very puzzling.  As Comcast noted it works with another device so the service itself appears good.

But the SRX worked fine in the previous site too.

Both servers report full duplex:
# dmesg | grep -i duplex -> enp0s20f0 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: RX
$ cat /sys/class/net/eno1/duplex -> full

Here is the result from an Ookla test running the first customer server from terminal:

 Speedtest by Ookla

      Server: Comcast - Sacramento, CA (id: 9436)
         ISP: Comcast Business
Idle Latency:    17.98 ms   (jitter: 0.11ms, low: 17.79ms, high: 18.03ms)
    Download:    18.33 Mbps (data used: 24.4 MB)                                                   
                 16.20 ms   (jitter: 14.98ms, low: 9.54ms, high: 267.89ms)
      Upload:    94.04 Mbps (data used: 90.1 MB)                                                   
                 27.52 ms   (jitter: 5.30ms, low: 18.68ms, high: 302.49ms)
Packet Loss:     0.0%

PhoenixNAP has a download test that downloads a 1 GB test file from one of their servers using wget to monitor the speed:

 $ wget -O /dev/null -q --show-progress https://speedash.phoenixnap.com/ash-1gb.test

I ran this test to 3 of their servers scattered across the US and got an average download speed of 4.6 Mbps.

On the second customer server, Ookla returns:

   Speedtest by Ookla

      Server: Comcast - Sacramento, CA (id: 9436)
         ISP: Comcast Business
Idle Latency:    18.12 ms   (jitter: 4.43ms, low: 13.30ms, high: 27.69ms)
    Download:    17.66 Mbps (data used: 32.8 MB)                                                   
                 79.64 ms   (jitter: 50.14ms, low: 10.44ms, high: 322.75ms)
      Upload:    94.09 Mbps (data used: 90.1 MB)                                                   
                 27.43 ms   (jitter: 2.00ms, low: 21.59ms, high: 41.39ms)
 Packet Loss:     0.0%

I ran the same test to the same 3 servers on this box and got an average download speed of 4.3 Mbps.

I remoted into another customer system who also has a 100 Mbps firewall (SSG-5) and ran the same PhoenixNAP test and got 78 Mbps so I don't think it is a PhoenixNAP issue.

I do not belief the configuration size of the SRX100 is an issue because we got exactly the same results from the production SRX100 with extensive configuration and the backup SRX100 out of the box with factory defaults.

The link is showing full duplex so this is not the issue to the ISP.

Can you likewise confirm the link to the testing computer is also full duplex to confirm that is good.

Do you get the same speed results from multiple services?  Just on the low chance there is something in the path to this test site that negatively interacts with the SRX configuration routing.

If all that checks out, there is some kind of interaction in the configuration routing or traffic processing at play.  This is odd since the only change is physical location and not configuration but the evidence says there is something wrong.  Since you have so many tunnels routing processes may be interacting with the internet test in some unusual way.

Thanks for the response.

Output of: show interfaces fe-0/0/0 | match duplex:

Link-level type: Ethernet, MTU: 1514, Link-mode: Full-duplex, Speed: 100mbps, BPDU Error: None, MAC-REWRITE Error: None, Loopback: Disabled, Source filtering: Disabled, Flow control: Disabled

Would it be appropriate to go back to Comcast and tell them our interface is set for full duplex, 100mbps and have them verify what their router is configured for?

I've seen this happen when auto neg on the link comes up half duplex.  These devices are 100m links and the auto neg is not a full international standard so getting full duplex doesn't always happen between different vendor gear.

Check the link with this operation command for the interface facing the ISP.  This shows correct full duplex, it would say Half-duplex if this is the issue.

show interfaces fe-0/0/0 | match duplex    

Link-level type: Ethernet, MTU: 1514, Link-mode: Full-duplex, Speed: 100mbps,

Set manual 100 full duplex on the specific interface like this.

set interfaces fe-0/0/0 link-mode full-duplex

set interfaces fe-0/0/0 speed 100m    

The ISP may also have to set manual speed and duplex as well depending on the nature of the problem but sometimes only changing one side works.

We have a customer with two SRX100H2's.  One has been running with no issues for many years and the other is a spare they bought just before the SRX100 became end-of-life.  Both have the last version of JUNOS available 12.3X48-D105.4.

The customer has been on Comcast Business service for several years with 5 static IPs.  They recently moved their office literally across town and Comcast moved their service allowing them to keep the same IPs.  The Comcast Router is connected to the SRX100 and the SRX100 is connected to a managed switch.  The rest of the office network is connected to the switch.

Prior to their move, running an Ookla speed test on any device downstream of the SRX would give Up and Down speeds of 90+ Mbps.  After the move, the same tests give 18 Mbps Down and 93 Mbps Up.   These speeds are consistent  with several devices.  We have run tests from their Servers and a couple of notebooks plugged into the switch and leasing a DHCP address.

We unplugged the Cat5 going into the SRX, plugged it into a notebook, manually configured all 5 static IPs one at a time in the notebook and ran a speed test with each.  The results are 221 Down & 118 Up.

We pulled out the spare SRX, powered it up with a factory default configuration, plugged it into the Comcast Router, plugged a notebook into the SRX and ran the speed test.  Results were 18 Mbps Down & 93 Mbps Up.  Same as the original SRX100.

Then we decided to try a different firewall so we grabbed a used SonicWall TZ270 from another job reset to factory defaults, plugged that into the Comcasr Router, plugged the notebook into it, and ran another test.  Results were 221 Mbps Down & 118 Mbps Up.

Next we called Comcast Business Support and they basically told us to go away.  They said if the SonicWall worked OK, then the problem was with the Juniper hardware and not their network.

So when we connect the SRX100's to the Internet, something is definitely causing them to throttle the connection .  There are no throttling policies of any kind configured in the SRX's. The customer has 3600+ lines in the SRX backup configuration file due to a large number of site-to-site VPNs and policies and with no simple path to upgrade from the SRX100 to the SRX300, they are unwilling to pay for the upgrade at this time.

Anyone have any ideas what would cause a SRX100H2 to throttle its download speed?        

I was hoping someone else had run into this problem, but it doesn't appear that is the case.  The SRX100 has 10/100 Mbps ports and the SonicWall we tested with has 1 Gbps ports and so does the notebook we tested with.  Seems like the only variable we have not duplicated is a 10/100 Mbps device connected to Comcast's router (except using two SRX100s).  I wonder if Comcast could be throttling only when their router links to a 10/100 Mbps device?  Since the production SRX100 worked fine in its previous location, and does not now, it appears to me to be something on Comcast's side.

We will need to see if we can find another device using, or configure a notebook to only connect at, 100 Mbps and see what happens.

I missed that the second SRX still had the default configuration.  I had thought you loaded a backup as a hardware check.

This is very puzzling.  As Comcast noted it works with another device so the service itself appears good.

But the SRX worked fine in the previous site too.

Both servers report full duplex:
# dmesg | grep -i duplex -> enp0s20f0 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: RX
$ cat /sys/class/net/eno1/duplex -> full

Here is the result from an Ookla test running the first customer server from terminal:

 Speedtest by Ookla

      Server: Comcast - Sacramento, CA (id: 9436)
         ISP: Comcast Business
Idle Latency:    17.98 ms   (jitter: 0.11ms, low: 17.79ms, high: 18.03ms)
    Download:    18.33 Mbps (data used: 24.4 MB)                                                   
                 16.20 ms   (jitter: 14.98ms, low: 9.54ms, high: 267.89ms)
      Upload:    94.04 Mbps (data used: 90.1 MB)                                                   
                 27.52 ms   (jitter: 5.30ms, low: 18.68ms, high: 302.49ms)
Packet Loss:     0.0%

PhoenixNAP has a download test that downloads a 1 GB test file from one of their servers using wget to monitor the speed:

 $ wget -O /dev/null -q --show-progress https://speedash.phoenixnap.com/ash-1gb.test

I ran this test to 3 of their servers scattered across the US and got an average download speed of 4.6 Mbps.

On the second customer server, Ookla returns:

   Speedtest by Ookla

      Server: Comcast - Sacramento, CA (id: 9436)
         ISP: Comcast Business
Idle Latency:    18.12 ms   (jitter: 4.43ms, low: 13.30ms, high: 27.69ms)
    Download:    17.66 Mbps (data used: 32.8 MB)                                                   
                 79.64 ms   (jitter: 50.14ms, low: 10.44ms, high: 322.75ms)
      Upload:    94.09 Mbps (data used: 90.1 MB)                                                   
                 27.43 ms   (jitter: 2.00ms, low: 21.59ms, high: 41.39ms)
 Packet Loss:     0.0%

I ran the same test to the same 3 servers on this box and got an average download speed of 4.3 Mbps.

I remoted into another customer system who also has a 100 Mbps firewall (SSG-5) and ran the same PhoenixNAP test and got 78 Mbps so I don't think it is a PhoenixNAP issue.

I do not belief the configuration size of the SRX100 is an issue because we got exactly the same results from the production SRX100 with extensive configuration and the backup SRX100 out of the box with factory defaults.

The link is showing full duplex so this is not the issue to the ISP.

Can you likewise confirm the link to the testing computer is also full duplex to confirm that is good.

Do you get the same speed results from multiple services?  Just on the low chance there is something in the path to this test site that negatively interacts with the SRX configuration routing.

If all that checks out, there is some kind of interaction in the configuration routing or traffic processing at play.  This is odd since the only change is physical location and not configuration but the evidence says there is something wrong.  Since you have so many tunnels routing processes may be interacting with the internet test in some unusual way.

Thanks for the response.

Output of: show interfaces fe-0/0/0 | match duplex:

Link-level type: Ethernet, MTU: 1514, Link-mode: Full-duplex, Speed: 100mbps, BPDU Error: None, MAC-REWRITE Error: None, Loopback: Disabled, Source filtering: Disabled, Flow control: Disabled

Would it be appropriate to go back to Comcast and tell them our interface is set for full duplex, 100mbps and have them verify what their router is configured for?

I've seen this happen when auto neg on the link comes up half duplex.  These devices are 100m links and the auto neg is not a full international standard so getting full duplex doesn't always happen between different vendor gear.

Check the link with this operation command for the interface facing the ISP.  This shows correct full duplex, it would say Half-duplex if this is the issue.

show interfaces fe-0/0/0 | match duplex    

Link-level type: Ethernet, MTU: 1514, Link-mode: Full-duplex, Speed: 100mbps,

Set manual 100 full duplex on the specific interface like this.

set interfaces fe-0/0/0 link-mode full-duplex

set interfaces fe-0/0/0 speed 100m    

The ISP may also have to set manual speed and duplex as well depending on the nature of the problem but sometimes only changing one side works.

We have a customer with two SRX100H2's.  One has been running with no issues for many years and the other is a spare they bought just before the SRX100 became end-of-life.  Both have the last version of JUNOS available 12.3X48-D105.4.

The customer has been on Comcast Business service for several years with 5 static IPs.  They recently moved their office literally across town and Comcast moved their service allowing them to keep the same IPs.  The Comcast Router is connected to the SRX100 and the SRX100 is connected to a managed switch.  The rest of the office network is connected to the switch.

Prior to their move, running an Ookla speed test on any device downstream of the SRX would give Up and Down speeds of 90+ Mbps.  After the move, the same tests give 18 Mbps Down and 93 Mbps Up.   These speeds are consistent  with several devices.  We have run tests from their Servers and a couple of notebooks plugged into the switch and leasing a DHCP address.

We unplugged the Cat5 going into the SRX, plugged it into a notebook, manually configured all 5 static IPs one at a time in the notebook and ran a speed test with each.  The results are 221 Down & 118 Up.

We pulled out the spare SRX, powered it up with a factory default configuration, plugged it into the Comcast Router, plugged a notebook into the SRX and ran the speed test.  Results were 18 Mbps Down & 93 Mbps Up.  Same as the original SRX100.

Then we decided to try a different firewall so we grabbed a used SonicWall TZ270 from another job reset to factory defaults, plugged that into the Comcasr Router, plugged the notebook into it, and ran another test.  Results were 221 Mbps Down & 118 Mbps Up.

Next we called Comcast Business Support and they basically told us to go away.  They said if the SonicWall worked OK, then the problem was with the Juniper hardware and not their network.

So when we connect the SRX100's to the Internet, something is definitely causing them to throttle the connection .  There are no throttling policies of any kind configured in the SRX's. The customer has 3600+ lines in the SRX backup configuration file due to a large number of site-to-site VPNs and policies and with no simple path to upgrade from the SRX100 to the SRX300, they are unwilling to pay for the upgrade at this time.

Anyone have any ideas what would cause a SRX100H2 to throttle its download speed?        

I agree, that is why I thought it might be the half duplex I had seen before.

How about another test.  Can you create a two port vlan on the local switch that is isolated then from the rest of the LAN.

Use one ge port to the ISP and the second down to the SRX.  

Maybe this is just some strange compatibility problem with the ISP network vendor gear.

I was hoping someone else had run into this problem, but it doesn't appear that is the case.  The SRX100 has 10/100 Mbps ports and the SonicWall we tested with has 1 Gbps ports and so does the notebook we tested with.  Seems like the only variable we have not duplicated is a 10/100 Mbps device connected to Comcast's router (except using two SRX100s).  I wonder if Comcast could be throttling only when their router links to a 10/100 Mbps device?  Since the production SRX100 worked fine in its previous location, and does not now, it appears to me to be something on Comcast's side.

We will need to see if we can find another device using, or configure a notebook to only connect at, 100 Mbps and see what happens.

I missed that the second SRX still had the default configuration.  I had thought you loaded a backup as a hardware check.

This is very puzzling.  As Comcast noted it works with another device so the service itself appears good.

But the SRX worked fine in the previous site too.

Both servers report full duplex:
# dmesg | grep -i duplex -> enp0s20f0 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: RX
$ cat /sys/class/net/eno1/duplex -> full

Here is the result from an Ookla test running the first customer server from terminal:

 Speedtest by Ookla

      Server: Comcast - Sacramento, CA (id: 9436)
         ISP: Comcast Business
Idle Latency:    17.98 ms   (jitter: 0.11ms, low: 17.79ms, high: 18.03ms)
    Download:    18.33 Mbps (data used: 24.4 MB)                                                   
                 16.20 ms   (jitter: 14.98ms, low: 9.54ms, high: 267.89ms)
      Upload:    94.04 Mbps (data used: 90.1 MB)                                                   
                 27.52 ms   (jitter: 5.30ms, low: 18.68ms, high: 302.49ms)
Packet Loss:     0.0%

PhoenixNAP has a download test that downloads a 1 GB test file from one of their servers using wget to monitor the speed:

 $ wget -O /dev/null -q --show-progress https://speedash.phoenixnap.com/ash-1gb.test

I ran this test to 3 of their servers scattered across the US and got an average download speed of 4.6 Mbps.

On the second customer server, Ookla returns:

   Speedtest by Ookla

      Server: Comcast - Sacramento, CA (id: 9436)
         ISP: Comcast Business
Idle Latency:    18.12 ms   (jitter: 4.43ms, low: 13.30ms, high: 27.69ms)
    Download:    17.66 Mbps (data used: 32.8 MB)                                                   
                 79.64 ms   (jitter: 50.14ms, low: 10.44ms, high: 322.75ms)
      Upload:    94.09 Mbps (data used: 90.1 MB)                                                   
                 27.43 ms   (jitter: 2.00ms, low: 21.59ms, high: 41.39ms)
 Packet Loss:     0.0%

I ran the same test to the same 3 servers on this box and got an average download speed of 4.3 Mbps.

I remoted into another customer system who also has a 100 Mbps firewall (SSG-5) and ran the same PhoenixNAP test and got 78 Mbps so I don't think it is a PhoenixNAP issue.

I do not belief the configuration size of the SRX100 is an issue because we got exactly the same results from the production SRX100 with extensive configuration and the backup SRX100 out of the box with factory defaults.

------------------------------
Mike Quigley

Original Message:
Sent: 01-01-2024 08:41
From: spuluka
Subject: Download Speed on EOL SRX

The link is showing full duplex so this is not the issue to the ISP.

Can you likewise confirm the link to the testing computer is also full duplex to confirm that is good.

Do you get the same speed results from multiple services?  Just on the low chance there is something in the path to this test site that negatively interacts with the SRX configuration routing.

If all that checks out, there is some kind of interaction in the configuration routing or traffic processing at play.  This is odd since the only change is physical location and not configuration but the evidence says there is something wrong.  Since you have so many tunnels routing processes may be interacting with the internet test in some unusual way.

Thanks for the response.

Output of: show interfaces fe-0/0/0 | match duplex:

Link-level type: Ethernet, MTU: 1514, Link-mode: Full-duplex, Speed: 100mbps, BPDU Error: None, MAC-REWRITE Error: None, Loopback: Disabled, Source filtering: Disabled, Flow control: Disabled

Would it be appropriate to go back to Comcast and tell them our interface is set for full duplex, 100mbps and have them verify what their router is configured for?

I've seen this happen when auto neg on the link comes up half duplex.  These devices are 100m links and the auto neg is not a full international standard so getting full duplex doesn't always happen between different vendor gear.

Check the link with this operation command for the interface facing the ISP.  This shows correct full duplex, it would say Half-duplex if this is the issue.

show interfaces fe-0/0/0 | match duplex    

Link-level type: Ethernet, MTU: 1514, Link-mode: Full-duplex, Speed: 100mbps,

Set manual 100 full duplex on the specific interface like this.

set interfaces fe-0/0/0 link-mode full-duplex

set interfaces fe-0/0/0 speed 100m    

The ISP may also have to set manual speed and duplex as well depending on the nature of the problem but sometimes only changing one side works.

We have a customer with two SRX100H2's.  One has been running with no issues for many years and the other is a spare they bought just before the SRX100 became end-of-life.  Both have the last version of JUNOS available 12.3X48-D105.4.

The customer has been on Comcast Business service for several years with 5 static IPs.  They recently moved their office literally across town and Comcast moved their service allowing them to keep the same IPs.  The Comcast Router is connected to the SRX100 and the SRX100 is connected to a managed switch.  The rest of the office network is connected to the switch.

Prior to their move, running an Ookla speed test on any device downstream of the SRX would give Up and Down speeds of 90+ Mbps.  After the move, the same tests give 18 Mbps Down and 93 Mbps Up.   These speeds are consistent  with several devices.  We have run tests from their Servers and a couple of notebooks plugged into the switch and leasing a DHCP address.

We unplugged the Cat5 going into the SRX, plugged it into a notebook, manually configured all 5 static IPs one at a time in the notebook and ran a speed test with each.  The results are 221 Down & 118 Up.

We pulled out the spare SRX, powered it up with a factory default configuration, plugged it into the Comcast Router, plugged a notebook into the SRX and ran the speed test.  Results were 18 Mbps Down & 93 Mbps Up.  Same as the original SRX100.

Then we decided to try a different firewall so we grabbed a used SonicWall TZ270 from another job reset to factory defaults, plugged that into the Comcasr Router, plugged the notebook into it, and ran another test.  Results were 221 Mbps Down & 118 Mbps Up.

Next we called Comcast Business Support and they basically told us to go away.  They said if the SonicWall worked OK, then the problem was with the Juniper hardware and not their network.

So when we connect the SRX100's to the Internet, something is definitely causing them to throttle the connection .  There are no throttling policies of any kind configured in the SRX's. The customer has 3600+ lines in the SRX backup configuration file due to a large number of site-to-site VPNs and policies and with no simple path to upgrade from the SRX100 to the SRX300, they are unwilling to pay for the upgrade at this time.

Anyone have any ideas what would cause a SRX100H2 to throttle its download speed?        

We have a customer with two SRX100H2's.  One has been running with no issues for many years and the other is a spare they bought just before the SRX100 became end-of-life.  Both have the last version of JUNOS available 12.3X48-D105.4.

The customer has been on Comcast Business service for several years with 5 static IPs.  They recently moved their office literally across town and Comcast moved their service allowing them to keep the same IPs.  The Comcast Router is connected to the SRX100 and the SRX100 is connected to a managed switch.  The rest of the office network is connected to the switch.

Prior to their move, running an Ookla speed test on any device downstream of the SRX would give Up and Down speeds of 90+ Mbps.  After the move, the same tests give 18 Mbps Down and 93 Mbps Up.   These speeds are consistent  with several devices.  We have run tests from their Servers and a couple of notebooks plugged into the switch and leasing a DHCP address.

We unplugged the Cat5 going into the SRX, plugged it into a notebook, manually configured all 5 static IPs one at a time in the notebook and ran a speed test with each.  The results are 221 Down & 118 Up.

We pulled out the spare SRX, powered it up with a factory default configuration, plugged it into the Comcast Router, plugged a notebook into the SRX and ran the speed test.  Results were 18 Mbps Down & 93 Mbps Up.  Same as the original SRX100.

Then we decided to try a different firewall so we grabbed a used SonicWall TZ270 from another job reset to factory defaults, plugged that into the Comcasr Router, plugged the notebook into it, and ran another test.  Results were 221 Mbps Down & 118 Mbps Up.

Next we called Comcast Business Support and they basically told us to go away.  They said if the SonicWall worked OK, then the problem was with the Juniper hardware and not their network.

So when we connect the SRX100's to the Internet, something is definitely causing them to throttle the connection .  There are no throttling policies of any kind configured in the SRX's. The customer has 3600+ lines in the SRX backup configuration file due to a large number of site-to-site VPNs and policies and with no simple path to upgrade from the SRX100 to the SRX300, they are unwilling to pay for the upgrade at this time.

Anyone have any ideas what would cause a SRX100H2 to throttle its download speed?        

Just adding to the thread, as one of our users recently ran into a similar performance issue (not on the SRX specifically).  Can you confirm you're using 'real' cables and nothing home made that might not have the proper pinout in the termination?  A user swore he had made cables correctly, and he had link, but upon inspection he was using the wrong pairs.

Just curious about the cables.

We have a customer with two SRX100H2's.  One has been running with no issues for many years and the other is a spare they bought just before the SRX100 became end-of-life.  Both have the last version of JUNOS available 12.3X48-D105.4.

The customer has been on Comcast Business service for several years with 5 static IPs.  They recently moved their office literally across town and Comcast moved their service allowing them to keep the same IPs.  The Comcast Router is connected to the SRX100 and the SRX100 is connected to a managed switch.  The rest of the office network is connected to the switch.

Prior to their move, running an Ookla speed test on any device downstream of the SRX would give Up and Down speeds of 90+ Mbps.  After the move, the same tests give 18 Mbps Down and 93 Mbps Up.   These speeds are consistent  with several devices.  We have run tests from their Servers and a couple of notebooks plugged into the switch and leasing a DHCP address.

We unplugged the Cat5 going into the SRX, plugged it into a notebook, manually configured all 5 static IPs one at a time in the notebook and ran a speed test with each.  The results are 221 Down & 118 Up.

We pulled out the spare SRX, powered it up with a factory default configuration, plugged it into the Comcast Router, plugged a notebook into the SRX and ran the speed test.  Results were 18 Mbps Down & 93 Mbps Up.  Same as the original SRX100.

Then we decided to try a different firewall so we grabbed a used SonicWall TZ270 from another job reset to factory defaults, plugged that into the Comcasr Router, plugged the notebook into it, and ran another test.  Results were 221 Mbps Down & 118 Mbps Up.

Next we called Comcast Business Support and they basically told us to go away.  They said if the SonicWall worked OK, then the problem was with the Juniper hardware and not their network.

So when we connect the SRX100's to the Internet, something is definitely causing them to throttle the connection .  There are no throttling policies of any kind configured in the SRX's. The customer has 3600+ lines in the SRX backup configuration file due to a large number of site-to-site VPNs and policies and with no simple path to upgrade from the SRX100 to the SRX300, they are unwilling to pay for the upgrade at this time.

Anyone have any ideas what would cause a SRX100H2 to throttle its download speed?        

Just adding to the thread, as one of our users recently ran into a similar performance issue (not on the SRX specifically).  Can you confirm you're using 'real' cables and nothing home made that might not have the proper pinout in the termination?  A user swore he had made cables correctly, and he had link, but upon inspection he was using the wrong pairs.

Just curious about the cables.

We have a customer with two SRX100H2's.  One has been running with no issues for many years and the other is a spare they bought just before the SRX100 became end-of-life.  Both have the last version of JUNOS available 12.3X48-D105.4.

The customer has been on Comcast Business service for several years with 5 static IPs.  They recently moved their office literally across town and Comcast moved their service allowing them to keep the same IPs.  The Comcast Router is connected to the SRX100 and the SRX100 is connected to a managed switch.  The rest of the office network is connected to the switch.

Prior to their move, running an Ookla speed test on any device downstream of the SRX would give Up and Down speeds of 90+ Mbps.  After the move, the same tests give 18 Mbps Down and 93 Mbps Up.   These speeds are consistent  with several devices.  We have run tests from their Servers and a couple of notebooks plugged into the switch and leasing a DHCP address.

We unplugged the Cat5 going into the SRX, plugged it into a notebook, manually configured all 5 static IPs one at a time in the notebook and ran a speed test with each.  The results are 221 Down & 118 Up.

We pulled out the spare SRX, powered it up with a factory default configuration, plugged it into the Comcast Router, plugged a notebook into the SRX and ran the speed test.  Results were 18 Mbps Down & 93 Mbps Up.  Same as the original SRX100.

Then we decided to try a different firewall so we grabbed a used SonicWall TZ270 from another job reset to factory defaults, plugged that into the Comcasr Router, plugged the notebook into it, and ran another test.  Results were 221 Mbps Down & 118 Mbps Up.

Next we called Comcast Business Support and they basically told us to go away.  They said if the SonicWall worked OK, then the problem was with the Juniper hardware and not their network.

So when we connect the SRX100's to the Internet, something is definitely causing them to throttle the connection .  There are no throttling policies of any kind configured in the SRX's. The customer has 3600+ lines in the SRX backup configuration file due to a large number of site-to-site VPNs and policies and with no simple path to upgrade from the SRX100 to the SRX300, they are unwilling to pay for the upgrade at this time.

Anyone have any ideas what would cause a SRX100H2 to throttle its download speed?        

I doubt the throttling is the result of anything programmed for link speed.  I think it is rather a bug or incompatibility with FE links with the network vendor gear used by the ISP.

Since your switch is good for the SRX based on performance at the old site, I still think the two port vlan test is worth. running.  The ISP gear will see a normal GE port and your switch is good with the SRX FE ports.

Just adding to the thread, as one of our users recently ran into a similar performance issue (not on the SRX specifically).  Can you confirm you're using 'real' cables and nothing home made that might not have the proper pinout in the termination?  A user swore he had made cables correctly, and he had link, but upon inspection he was using the wrong pairs.

Just curious about the cables.

We have a customer with two SRX100H2's.  One has been running with no issues for many years and the other is a spare they bought just before the SRX100 became end-of-life.  Both have the last version of JUNOS available 12.3X48-D105.4.

The customer has been on Comcast Business service for several years with 5 static IPs.  They recently moved their office literally across town and Comcast moved their service allowing them to keep the same IPs.  The Comcast Router is connected to the SRX100 and the SRX100 is connected to a managed switch.  The rest of the office network is connected to the switch.

Prior to their move, running an Ookla speed test on any device downstream of the SRX would give Up and Down speeds of 90+ Mbps.  After the move, the same tests give 18 Mbps Down and 93 Mbps Up.   These speeds are consistent  with several devices.  We have run tests from their Servers and a couple of notebooks plugged into the switch and leasing a DHCP address.

We unplugged the Cat5 going into the SRX, plugged it into a notebook, manually configured all 5 static IPs one at a time in the notebook and ran a speed test with each.  The results are 221 Down & 118 Up.

We pulled out the spare SRX, powered it up with a factory default configuration, plugged it into the Comcast Router, plugged a notebook into the SRX and ran the speed test.  Results were 18 Mbps Down & 93 Mbps Up.  Same as the original SRX100.

Then we decided to try a different firewall so we grabbed a used SonicWall TZ270 from another job reset to factory defaults, plugged that into the Comcasr Router, plugged the notebook into it, and ran another test.  Results were 221 Mbps Down & 118 Mbps Up.

Next we called Comcast Business Support and they basically told us to go away.  They said if the SonicWall worked OK, then the problem was with the Juniper hardware and not their network.

So when we connect the SRX100's to the Internet, something is definitely causing them to throttle the connection .  There are no throttling policies of any kind configured in the SRX's. The customer has 3600+ lines in the SRX backup configuration file due to a large number of site-to-site VPNs and policies and with no simple path to upgrade from the SRX100 to the SRX300, they are unwilling to pay for the upgrade at this time.

Anyone have any ideas what would cause a SRX100H2 to throttle its download speed?