SRX

Good day to everybody!!!

At the moment I'm testing such a configuration:
Hub(sml-c-r1, SRX100H) and spokes(as an example, sml-vjz-r1, all SRX100B), all with recommended Junos 12.1X44-D35.5

Hub has 2 ISPs: 1 public addr on ISP1(pppoe) and 2 public addr on ISP2
Every spoke has 2 ISPs: 2 public addr on ISP1 and 2nd ISP is 3G(NAT, dynamic addr)

So I make 2 GRE-tunnels from every spoke: spoke_ISP1.1 to hub_ISP1, spoke_ISP1.2 to hub_ISP2.1
And 1 IPsec NHTB-tunnel: spoke_ISP2 to hub_ISP2.2

Then put all tunnel ifaces into area 0(ospf), and it works great! But 2-3 hours pass and CPU(DATA in Jweb) goes to 100% on hub, ping to and through hub ifaces increases (from 2-10ms to 60-90ms). In messages log a few relevant messages:
Aug 28 11:32:47  sml-c-r1 PERF_MON: RTPERF_CPU_THRESHOLD_EXCEEDED: FPC 0 PIC 0 CPU utilization exceeds threshold, current value=100

What is interesting: when I disable fe-0/0/0.0 on hub(ISP1) CPU(DATA) immediately falls to 0%, ping to 2-10ms. When enable it back, again 2-3 hours and the same issue!

I attach 2 cfgs, by 2 outputs before and after 2-3 hours.

Could you, please, help!!!

Attachment(s)

hub_log1_ok.txt   4 KB 1 version

spoke_output1_ok.txt   5 KB 1 version

hub_log2_bad.txt   4 KB 1 version

spoke.txt   4 KB 1 version

hub.txt   9 KB 1 version

spoke_output2_bad.txt   4 KB 1 version

Thankfully, we have found the cause. IPsec, gre, ospf were not among them..

A subnet of /29 is linked to ISP1 pppoe interface, but no adresses from it were assigned to SRX. A lot of trash traffic destined to these addresses was entering SRX. As it is in statefull mode, sessions for these addresses were populating SRX. When I set this subnet with discard parameter in routing-options, everything starts to work as expected. CPU(DATA) goes to 0%