Hi Lim,
Don't worry about this, really.
SRX as any other stateful firewall preallocates memory for all the thousands of sessions it can support. It is really important to improve new sessions per seconds capabilities and also to insure that nothing can block new sessions occuping too much memory.
If you look at any ScreenOS firewall, you'll se almost the same. It is really OK.
Look at this snippet.
pash@J2350> show system processes extensive
last pid: 10878; load averages: 0.06, 0.04, 0.01 up 0+23:07:39 13:46:45
109 processes: 3 running, 88 sleeping, 18 waiting
Mem: 90M Active, 165M Inact, 519M Wired, 140M Cache, 69M Buf, 79M Free
Swap: 85M Total, 85M Free
PID USERNAME THR PRI NICE SIZE RES STATE TIME WCPU COMMAND
11 root 1 171 52 0K 12K RUN 21.3H 95.95% idle
1032 root 1 96 0 481M 481M RUN 98:28 1.71% fwdd
12 root 1 -20 -139 0K 12K WAIT 4:39 0.00% swi7: clock sio
1071 root 1 96 0 6920K 6132K select 0:41 0.00% utmd
1070 root 1 96 0 6552K 5328K select 0:38 0.00% jdiameterd
926 root 1 20 0 0K 12K rtl_gp 0:31 0.00% rtl_alloc
1047 root 1 96 0 9020K 7660K select 0:31 0.00% l2ald
1019 root 1 96 0 18768K 13228K select 0:26 0.00% chassisd
1082 root 1 96 0 14276K 13032K select 0:22 0.00% snmpd
[...]
Most allocated memory is eaten by fwdd (J-series) of flowd_octeon (SRX). This is the demon which performs traffic forwarding. You'd rather let it do so. Memory load will not rise with more traffic, you can test.
If you really need additional memory, you can try to turn off some processes you don't need. First be sure you know what you are doing!
pash@J2350# run show system processes extensive | match free
Mem: 99M Active, 165M Inact, 520M Wired, 140M Cache, 69M Buf, 69M Free
Swap: 85M Total, 85M Free
[edit]
pash@J2350# run show system processes extensive | match idp
13353 root 1 96 0 78928K 8864K select 0:00 0.00% idpd
[edit]
pash@J2350# run show system processes extensive | match utm
13354 root 1 96 0 6912K 6188K select 0:00 0.00% utmd
[edit]
pash@J2350# run show system processes extensive | match snmp
13352 root 1 96 0 14284K 13040K select 0:03 1.78% snmpd
[edit]
pash@J2350# show | compare rollback 1
[edit system]
- processes {
- idp-policy disable;
- snmp disable;
- utmd disable;
- }
[edit]
pash@J2350# rollback 1
load complete
[edit]
pash@J2350# commit
commit complete
[edit]
pash@J2350# run show system processes extensive | match snmp
[edit]
pash@J2350# run show system processes extensive | match utm
[edit]
pash@J2350# run show system processes extensive | match idp
[edit]
pash@J2350# run show system processes extensive | match free
Mem: 89M Active, 165M Inact, 520M Wired, 140M Cache, 69M Buf, 79M Free
Swap: 85M Total, 85M Free
Hovewer I think it can only be useful on J-series, when you want to have a few hundred thousand routes. Not on SRX100/200, which, I think, is not capable to perform such a task anyway, and not on SRX650, which has 2 Gigs of RAM.
P. S.
If you ever notice SRX consumes to much CPU resources, check this link:
http://forums.juniper.net/jnet/board/message?board.id=srx&message.id=147&query.id=1634779&searchid=1252416322735
--
Kind regards,
Pavel
Message Edited by onemorepash on 10-14-2009 03:21 AM
Message Edited by onemorepash on 10-14-2009 03:25 AM
Message Edited by onemorepash on 10-14-2009 03:34 AM