SRX

 View Only
last person joined: 2 days ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  ipsec high cpu

    Posted 12 days ago

    Good day,

    We use a off-site backup location with a ipsec tunnel.

    The max speed we get is 250mbps. for our purpose this is no issue.

    We get the bellow warnings indicating that the srx320 is running at max capacity.

    following the datasheet the device should get 336mbps over a ipsec connection. 

    The seccond warning can be expected. but the first one should not occur. 

    RTPERF_CPU_UTIL_MAX: FPC 0 PIC 0 CPU Utilization greater than 99, expect packet loss

    RTPERF_CPU_THRESHOLD_EXCEEDED: FPC 0 PIC 0 CPU utilization exceeds threshold, current value = 88

    Is there anything we can do to improve this?

    the ike proposal-set is standard.

    the ipsec is also as simple as possible.

    perfect-forward-secrecy {
        keys group1;
    }
    proposal-set standard;
    

    since it is happening during the night. there is no big issue. but simply wondering if there is something i can do to improve this.

    many thanks,

    Mark



  • 2.  RE: ipsec high cpu

    Posted 11 days ago

    Check for packet fragmentation. If traffic flows from, say, interface ge-0/0/x into st0.z, use monitor interface to compare the INPUT packet rate for ge-0/0/x to the OUTPUT packet rate for st0.z. They should roughly match. If fragmentation is occurring, then the output packet rate on st0.z will be roughly doubled.

    If fragmentation is indeed happening, assuming your backup is using TCP connections, you can clamp down the maximum segment size (tcp-mss) under security flow configuration. Taking into account the various overheads, assuming a normal 1500-byte ethernet MTU, a tcp-mss value of around 1350-ish should do the trick.



    ------------------------------
    Nikolay Semov
    ------------------------------