Screen OS

Hi,

One of my customer having some high response issue from the NS204.

The NS204 have 3 zone in used, Untrust, DMZ and Trust.  This NS204 also serve as a VPN gateway to branches and running in pair for HA.

There are 40 VPN Gateways in the NS204 include active and inactive.  The inactives VPN is for the branches' failover interface VPN connection.

Issue is some of the times, the DMZ interface had high reponse time ping from the trust zone (User PC), the ping time is around 1200ms.  During that time the ping time to trust interface and untrust interface is normal around 20ms.  The CPU usage also jump from 5% to 90%+.

Users experience slow performance when they need to connect servers in DMZ zone.  But the connection to untrust zone (Internet) is normal.

My customer notices that when the high response time occur, there are a lot of logs that show about VPN is down and VPN is up for serveral branches.

Is the VPN reconnection cause this issue, and use alot of cpu usage?

Hi

As you state that your cpu goes hihg in the same period you expirience high response time, I will suggest that you start looking at finding out what caises the high cpu.

There is a very good knowledgebase article that describes the steps to isolate the cause of high cpu-load.

http://kb.juniper.net/KB9453

A tool that is good to use in the process is Nescreen Session Analyzer it can be downloaded at the following location.

Sorry

I forgot to paste in the link to NSSA

http://performanceclassifieds.net/NSSA.zip

Sorry for the late reply.

I had found out the high cpu load is cause by the flow.

Thanks!!