Junos OS

Hi,

I have srx 5400 just recently installed and setup done for ipsec, tunnel is stable if no traffic, but tunnel is going up/down when traffic started.  Traffic is less than 7 GB, but link  BW is 20G, so I don't think this causing issue.

There is no alarm on SRX, 

Could you  please someone suggest, maybe load issue or SCB/SPC issue?

SRX 5400 running on JUNOS 12.3X48-D105.4,  if you think load issue can I upgrade to 19.3R1.8..

Please kindly advice.

Thanks,

Nesan

------------------------------
BALA BALASUNDARAM
------------------------------

For a vpn that is going up/down follow the outline in this kb article to identify the cause.

https://supportportal.juniper.net/s/article/SRX-How-to-troubleshoot-a-VPN-tunnel-that-is-going-up-and-down?language=en_US

Upgrades from the EOL version 12 generally require multiple steps up to a current version.  Check the FAQ and other notes on these old version upgrades from this previous announcement.

https://community.juniper.net/discussion/are-you-still-running-junos-release-12x-14x-15x-or-16x

Hi,

I have srx 5400 just recently installed and setup done for ipsec, tunnel is stable if no traffic, but tunnel is going up/down when traffic started.  Traffic is less than 7 GB, but link  BW is 20G, so I don't think this causing issue.

There is no alarm on SRX, 

Could you  please someone suggest, maybe load issue or SCB/SPC issue?

SRX 5400 running on JUNOS 12.3X48-D105.4,  if you think load issue can I upgrade to 19.3R1.8..

Please kindly advice.

Thanks,

Nesan

------------------------------
BALA BALASUNDARAM
------------------------------

Thank you Steve for the prompt reply and really appreciated. 

First issue, for the tunnel up/down, this is only happening when traffic started otherwise tunnel always are up and not fluctuating,   I tested SRX 5800 with same config and it's working fine, so something SRX 5400 it's causing issue but I can't find any alarm on srx 5400 in order to debug, Maybe any card issue or software? This is first time I am testing ipsec on SRX 5400.

This is the reason I am thinking maybe update the software 

I can't see much info on FAQ about the upgrade,   SRX 5400 with Routing engine SRX5k RE-1800X4 recommended load is 

Also I checked on juniper website under download for SRX 5400, only showing load is 12.3 X48 and then showing 19.3 there is no middle releases there, not sure what is the full path in order to reach 21.4.

Curently SRX 5400 running this firmware, JUNOS 12.3X48-D105.4 .

Please suggest how move forward.

------------------------------
BALA BALASUNDARAM

Original Message:
Sent: 05-18-2024 20:34
From: spuluka
Subject: SRX 5400 upgrade path/ packet loss coming when traffic started on ipsec.

For a vpn that is going up/down follow the outline in this kb article to identify the cause.

https://supportportal.juniper.net/s/article/SRX-How-to-troubleshoot-a-VPN-tunnel-that-is-going-up-and-down?language=en_US

Upgrades from the EOL version 12 generally require multiple steps up to a current version.  Check the FAQ and other notes on these old version upgrades from this previous announcement.

https://community.juniper.net/discussion/are-you-still-running-junos-release-12x-14x-15x-or-16x

Hi,

I have srx 5400 just recently installed and setup done for ipsec, tunnel is stable if no traffic, but tunnel is going up/down when traffic started.  Traffic is less than 7 GB, but link  BW is 20G, so I don't think this causing issue.

There is no alarm on SRX, 

Could you  please someone suggest, maybe load issue or SCB/SPC issue?

SRX 5400 running on JUNOS 12.3X48-D105.4,  if you think load issue can I upgrade to 19.3R1.8..

Please kindly advice.

Thanks,

Nesan

------------------------------
BALA BALASUNDARAM
------------------------------

For the vpn troubleshooting the logging level would need to be increased to information level to get detailed messages as noted in the kb.

Also verify that vpn monitoring is either not in use or adjusted as needed per the later steps.

On the upgrade path, there are maximum jump levels that would need to be observed.  And those files are not publicly available as you note.  This requires opening a service ticket with JTAC support.  The particular versions vary by platform which is why they were running the open sessions a few months back.  But a JTAC ticket can also help parse this as well.

The alternative is to do a clean boot format install on the SRX.  Naturally, this deletes the current configuration so a backup would need to be pulled.  And this would take the device to factory default so local physical access also needed.  But you can format to any version with the upgrade jump maximums in play.

------------------------------
Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
http://puluka.com/home

Original Message:
Sent: 05-19-2024 01:13
From: BALA BALASUNDARAM
Subject: SRX 5400 upgrade path/ packet loss coming when traffic started on ipsec.

Thank you Steve for the prompt reply and really appreciated. 

First issue, for the tunnel up/down, this is only happening when traffic started otherwise tunnel always are up and not fluctuating,   I tested SRX 5800 with same config and it's working fine, so something SRX 5400 it's causing issue but I can't find any alarm on srx 5400 in order to debug, Maybe any card issue or software? This is first time I am testing ipsec on SRX 5400.

This is the reason I am thinking maybe update the software 

I can't see much info on FAQ about the upgrade,   SRX 5400 with Routing engine SRX5k RE-1800X4 recommended load is 

Also I checked on juniper website under download for SRX 5400, only showing load is 12.3 X48 and then showing 19.3 there is no middle releases there, not sure what is the full path in order to reach 21.4.

Curently SRX 5400 running this firmware, JUNOS 12.3X48-D105.4 .

Please suggest how move forward.

------------------------------
BALA BALASUNDARAM

Original Message:
Sent: 05-18-2024 20:34
From: spuluka
Subject: SRX 5400 upgrade path/ packet loss coming when traffic started on ipsec.

For a vpn that is going up/down follow the outline in this kb article to identify the cause.

https://supportportal.juniper.net/s/article/SRX-How-to-troubleshoot-a-VPN-tunnel-that-is-going-up-and-down?language=en_US

Upgrades from the EOL version 12 generally require multiple steps up to a current version.  Check the FAQ and other notes on these old version upgrades from this previous announcement.

https://community.juniper.net/discussion/are-you-still-running-junos-release-12x-14x-15x-or-16x

------------------------------
Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
http://puluka.com/home

Original Message:
Sent: 05-18-2024 17:11
From: BALA BALASUNDARAM
Subject: SRX 5400 upgrade path/ packet loss coming when traffic started on ipsec.

Hi,

I have srx 5400 just recently installed and setup done for ipsec, tunnel is stable if no traffic, but tunnel is going up/down when traffic started.  Traffic is less than 7 GB, but link  BW is 20G, so I don't think this causing issue.

There is no alarm on SRX, 

Could you  please someone suggest, maybe load issue or SCB/SPC issue?

SRX 5400 running on JUNOS 12.3X48-D105.4,  if you think load issue can I upgrade to 19.3R1.8..

Please kindly advice.

Thanks,

Nesan

------------------------------
BALA BALASUNDARAM
------------------------------

Thank you Steve again, we are not running any vpn monitoring,   The Main issue on SRX 5400 it's tunnel is not stable when traffic started, the problem is peer dead detection happening due the peer ike unreachable message from remotes site. Why this happening because of srx 5400 kind of congestion, around ~7G data going through that interface link, but as I told you already it's 20G link, I am quite not  sure why srx 5400  making congestion and packet loss coming and then peer ip not reachable once in a while and tunnel going up/down, because BW is 20G.

is there any way I can check on hardware level All the cards working as expected? Also this release JUNOS 12.3X48-D105.4 will support 7G throuput?

Please advice.

------------------------------
BALA BALASUNDARAM

Original Message:
Sent: 05-19-2024 19:36
From: spuluka
Subject: SRX 5400 upgrade path/ packet loss coming when traffic started on ipsec.

For the vpn troubleshooting the logging level would need to be increased to information level to get detailed messages as noted in the kb.

Also verify that vpn monitoring is either not in use or adjusted as needed per the later steps.

On the upgrade path, there are maximum jump levels that would need to be observed.  And those files are not publicly available as you note.  This requires opening a service ticket with JTAC support.  The particular versions vary by platform which is why they were running the open sessions a few months back.  But a JTAC ticket can also help parse this as well.

The alternative is to do a clean boot format install on the SRX.  Naturally, this deletes the current configuration so a backup would need to be pulled.  And this would take the device to factory default so local physical access also needed.  But you can format to any version with the upgrade jump maximums in play.

------------------------------
Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
http://puluka.com/home

Original Message:
Sent: 05-19-2024 01:13
From: BALA BALASUNDARAM
Subject: SRX 5400 upgrade path/ packet loss coming when traffic started on ipsec.

Thank you Steve for the prompt reply and really appreciated. 

First issue, for the tunnel up/down, this is only happening when traffic started otherwise tunnel always are up and not fluctuating,   I tested SRX 5800 with same config and it's working fine, so something SRX 5400 it's causing issue but I can't find any alarm on srx 5400 in order to debug, Maybe any card issue or software? This is first time I am testing ipsec on SRX 5400.

This is the reason I am thinking maybe update the software 

I can't see much info on FAQ about the upgrade,   SRX 5400 with Routing engine SRX5k RE-1800X4 recommended load is 

Also I checked on juniper website under download for SRX 5400, only showing load is 12.3 X48 and then showing 19.3 there is no middle releases there, not sure what is the full path in order to reach 21.4.

Curently SRX 5400 running this firmware, JUNOS 12.3X48-D105.4 .

Please suggest how move forward.

------------------------------
BALA BALASUNDARAM

Original Message:
Sent: 05-18-2024 20:34
From: spuluka
Subject: SRX 5400 upgrade path/ packet loss coming when traffic started on ipsec.

For a vpn that is going up/down follow the outline in this kb article to identify the cause.

https://supportportal.juniper.net/s/article/SRX-How-to-troubleshoot-a-VPN-tunnel-that-is-going-up-and-down?language=en_US

Upgrades from the EOL version 12 generally require multiple steps up to a current version.  Check the FAQ and other notes on these old version upgrades from this previous announcement.

https://community.juniper.net/discussion/are-you-still-running-junos-release-12x-14x-15x-or-16x

------------------------------
Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
http://puluka.com/home

Original Message:
Sent: 05-18-2024 17:11
From: BALA BALASUNDARAM
Subject: SRX 5400 upgrade path/ packet loss coming when traffic started on ipsec.

Hi,

I have srx 5400 just recently installed and setup done for ipsec, tunnel is stable if no traffic, but tunnel is going up/down when traffic started.  Traffic is less than 7 GB, but link  BW is 20G, so I don't think this causing issue.

There is no alarm on SRX, 

Could you  please someone suggest, maybe load issue or SCB/SPC issue?

SRX 5400 running on JUNOS 12.3X48-D105.4,  if you think load issue can I upgrade to 19.3R1.8..

Please kindly advice.

Thanks,

Nesan

------------------------------
BALA BALASUNDARAM
------------------------------

Hi,

What model SPC that u used? SPC2 model have limitation IPSEC tunnel throughput.

Thanks

Thank you Steve again, we are not running any vpn monitoring,   The Main issue on SRX 5400 it's tunnel is not stable when traffic started, the problem is peer dead detection happening due the peer ike unreachable message from remotes site. Why this happening because of srx 5400 kind of congestion, around ~7G data going through that interface link, but as I told you already it's 20G link, I am quite not  sure why srx 5400  making congestion and packet loss coming and then peer ip not reachable once in a while and tunnel going up/down, because BW is 20G.

is there any way I can check on hardware level All the cards working as expected? Also this release JUNOS 12.3X48-D105.4 will support 7G throuput?

Please advice.

------------------------------
BALA BALASUNDARAM

Original Message:
Sent: 05-19-2024 19:36
From: spuluka
Subject: SRX 5400 upgrade path/ packet loss coming when traffic started on ipsec.

For the vpn troubleshooting the logging level would need to be increased to information level to get detailed messages as noted in the kb.

Also verify that vpn monitoring is either not in use or adjusted as needed per the later steps.

On the upgrade path, there are maximum jump levels that would need to be observed.  And those files are not publicly available as you note.  This requires opening a service ticket with JTAC support.  The particular versions vary by platform which is why they were running the open sessions a few months back.  But a JTAC ticket can also help parse this as well.

The alternative is to do a clean boot format install on the SRX.  Naturally, this deletes the current configuration so a backup would need to be pulled.  And this would take the device to factory default so local physical access also needed.  But you can format to any version with the upgrade jump maximums in play.

------------------------------
Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
http://puluka.com/home

Original Message:
Sent: 05-19-2024 01:13
From: BALA BALASUNDARAM
Subject: SRX 5400 upgrade path/ packet loss coming when traffic started on ipsec.

Thank you Steve for the prompt reply and really appreciated. 

First issue, for the tunnel up/down, this is only happening when traffic started otherwise tunnel always are up and not fluctuating,   I tested SRX 5800 with same config and it's working fine, so something SRX 5400 it's causing issue but I can't find any alarm on srx 5400 in order to debug, Maybe any card issue or software? This is first time I am testing ipsec on SRX 5400.

This is the reason I am thinking maybe update the software 

I can't see much info on FAQ about the upgrade,   SRX 5400 with Routing engine SRX5k RE-1800X4 recommended load is 

Also I checked on juniper website under download for SRX 5400, only showing load is 12.3 X48 and then showing 19.3 there is no middle releases there, not sure what is the full path in order to reach 21.4.

Curently SRX 5400 running this firmware, JUNOS 12.3X48-D105.4 .

Please suggest how move forward.

------------------------------
BALA BALASUNDARAM

Original Message:
Sent: 05-18-2024 20:34
From: spuluka
Subject: SRX 5400 upgrade path/ packet loss coming when traffic started on ipsec.

For a vpn that is going up/down follow the outline in this kb article to identify the cause.

https://supportportal.juniper.net/s/article/SRX-How-to-troubleshoot-a-VPN-tunnel-that-is-going-up-and-down?language=en_US

Upgrades from the EOL version 12 generally require multiple steps up to a current version.  Check the FAQ and other notes on these old version upgrades from this previous announcement.

https://community.juniper.net/discussion/are-you-still-running-junos-release-12x-14x-15x-or-16x

------------------------------
Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
http://puluka.com/home

Original Message:
Sent: 05-18-2024 17:11
From: BALA BALASUNDARAM
Subject: SRX 5400 upgrade path/ packet loss coming when traffic started on ipsec.

Hi,

I have srx 5400 just recently installed and setup done for ipsec, tunnel is stable if no traffic, but tunnel is going up/down when traffic started.  Traffic is less than 7 GB, but link  BW is 20G, so I don't think this causing issue.

There is no alarm on SRX, 

Could you  please someone suggest, maybe load issue or SCB/SPC issue?

SRX 5400 running on JUNOS 12.3X48-D105.4,  if you think load issue can I upgrade to 19.3R1.8..

Please kindly advice.

Thanks,

Nesan

------------------------------
BALA BALASUNDARAM
------------------------------

Thank you so much for the info,  here is the info for SRX 5400. Please kindly advice this spc limitations?

> show chassis fpc
                     Temp  CPU Utilization (%)   Memory    Utilization (%)
Slot State            (C)  Total  Interrupt      DRAM (MB) Heap     Buffer
  0  Online            37     22          0       1024        9         26
  1  Empty
  2  Online            38      4          0       2048       19         18

RE:

Routing Engine 0 REV 02       SRX5k RE-1800X4

CB 0             REV 08             SRX5k SCB II
FPC 0            REV 24             SRX5k SPC II
  CPU                     BUILTIN      BUILTIN           SRX5k DPC PPC

FPC 2            REV 08             SRX5k IOC II
  CPU            REV 02            SRX5k MPC PMB
  MIC 1          REV 07             10x 10GE SFP+

This is the info I got from lab team physical HW info:

Slot 2 -  SRX5K-MPC/SRX-MIC-10XG-SFPP led status: all green

Slot 1 - empty

Slot 1/0  SRX5K-SPC-4-15-320 Led status: all green

Slot 0  SRX5K-SCBE/SRX5K-RE-1800X4 Led status: all green (except master led: blue)

Please kindly advice this spc limitations?

Hi,

What model SPC that u used? SPC2 model have limitation IPSEC tunnel throughput.

Thanks

Thank you Steve again, we are not running any vpn monitoring,   The Main issue on SRX 5400 it's tunnel is not stable when traffic started, the problem is peer dead detection happening due the peer ike unreachable message from remotes site. Why this happening because of srx 5400 kind of congestion, around ~7G data going through that interface link, but as I told you already it's 20G link, I am quite not  sure why srx 5400  making congestion and packet loss coming and then peer ip not reachable once in a while and tunnel going up/down, because BW is 20G.

is there any way I can check on hardware level All the cards working as expected? Also this release JUNOS 12.3X48-D105.4 will support 7G throuput?

Please advice.

------------------------------
BALA BALASUNDARAM

Original Message:
Sent: 05-19-2024 19:36
From: spuluka
Subject: SRX 5400 upgrade path/ packet loss coming when traffic started on ipsec.

For the vpn troubleshooting the logging level would need to be increased to information level to get detailed messages as noted in the kb.

Also verify that vpn monitoring is either not in use or adjusted as needed per the later steps.

On the upgrade path, there are maximum jump levels that would need to be observed.  And those files are not publicly available as you note.  This requires opening a service ticket with JTAC support.  The particular versions vary by platform which is why they were running the open sessions a few months back.  But a JTAC ticket can also help parse this as well.

The alternative is to do a clean boot format install on the SRX.  Naturally, this deletes the current configuration so a backup would need to be pulled.  And this would take the device to factory default so local physical access also needed.  But you can format to any version with the upgrade jump maximums in play.

------------------------------
Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
http://puluka.com/home

Original Message:
Sent: 05-19-2024 01:13
From: BALA BALASUNDARAM
Subject: SRX 5400 upgrade path/ packet loss coming when traffic started on ipsec.

Thank you Steve for the prompt reply and really appreciated. 

First issue, for the tunnel up/down, this is only happening when traffic started otherwise tunnel always are up and not fluctuating,   I tested SRX 5800 with same config and it's working fine, so something SRX 5400 it's causing issue but I can't find any alarm on srx 5400 in order to debug, Maybe any card issue or software? This is first time I am testing ipsec on SRX 5400.

This is the reason I am thinking maybe update the software 

I can't see much info on FAQ about the upgrade,   SRX 5400 with Routing engine SRX5k RE-1800X4 recommended load is 

Also I checked on juniper website under download for SRX 5400, only showing load is 12.3 X48 and then showing 19.3 there is no middle releases there, not sure what is the full path in order to reach 21.4.

Curently SRX 5400 running this firmware, JUNOS 12.3X48-D105.4 .

Please suggest how move forward.

------------------------------
BALA BALASUNDARAM

Original Message:
Sent: 05-18-2024 20:34
From: spuluka
Subject: SRX 5400 upgrade path/ packet loss coming when traffic started on ipsec.

For a vpn that is going up/down follow the outline in this kb article to identify the cause.

https://supportportal.juniper.net/s/article/SRX-How-to-troubleshoot-a-VPN-tunnel-that-is-going-up-and-down?language=en_US

Upgrades from the EOL version 12 generally require multiple steps up to a current version.  Check the FAQ and other notes on these old version upgrades from this previous announcement.

https://community.juniper.net/discussion/are-you-still-running-junos-release-12x-14x-15x-or-16x

------------------------------
Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
http://puluka.com/home

Original Message:
Sent: 05-18-2024 17:11
From: BALA BALASUNDARAM
Subject: SRX 5400 upgrade path/ packet loss coming when traffic started on ipsec.

Hi,

I have srx 5400 just recently installed and setup done for ipsec, tunnel is stable if no traffic, but tunnel is going up/down when traffic started.  Traffic is less than 7 GB, but link  BW is 20G, so I don't think this causing issue.

There is no alarm on SRX, 

Could you  please someone suggest, maybe load issue or SCB/SPC issue?

SRX 5400 running on JUNOS 12.3X48-D105.4,  if you think load issue can I upgrade to 19.3R1.8..

Please kindly advice.

Thanks,

Nesan

------------------------------
BALA BALASUNDARAM
------------------------------

Hi,

One SPC2 model just can cater 5g IPSec throughput only. So u need to change ypur SPC2 to SPC3 since SRX5400 just have limited slot.

Thanks

Thank you so much for the info,  here is the info for SRX 5400. Please kindly advice this spc limitations?

> show chassis fpc
                     Temp  CPU Utilization (%)   Memory    Utilization (%)
Slot State            (C)  Total  Interrupt      DRAM (MB) Heap     Buffer
  0  Online            37     22          0       1024        9         26
  1  Empty
  2  Online            38      4          0       2048       19         18

RE:

Routing Engine 0 REV 02       SRX5k RE-1800X4

CB 0             REV 08             SRX5k SCB II
FPC 0            REV 24             SRX5k SPC II
  CPU                     BUILTIN      BUILTIN           SRX5k DPC PPC

FPC 2            REV 08             SRX5k IOC II
  CPU            REV 02            SRX5k MPC PMB
  MIC 1          REV 07             10x 10GE SFP+

This is the info I got from lab team physical HW info:

Slot 2 -  SRX5K-MPC/SRX-MIC-10XG-SFPP led status: all green

Slot 1 - empty

Slot 1/0  SRX5K-SPC-4-15-320 Led status: all green

Slot 0  SRX5K-SCBE/SRX5K-RE-1800X4 Led status: all green (except master led: blue)

Please kindly advice this spc limitations?

Hi,

What model SPC that u used? SPC2 model have limitation IPSEC tunnel throughput.

Thanks

Thank you Steve again, we are not running any vpn monitoring,   The Main issue on SRX 5400 it's tunnel is not stable when traffic started, the problem is peer dead detection happening due the peer ike unreachable message from remotes site. Why this happening because of srx 5400 kind of congestion, around ~7G data going through that interface link, but as I told you already it's 20G link, I am quite not  sure why srx 5400  making congestion and packet loss coming and then peer ip not reachable once in a while and tunnel going up/down, because BW is 20G.

is there any way I can check on hardware level All the cards working as expected? Also this release JUNOS 12.3X48-D105.4 will support 7G throuput?

Please advice.

------------------------------
BALA BALASUNDARAM

Original Message:
Sent: 05-19-2024 19:36
From: spuluka
Subject: SRX 5400 upgrade path/ packet loss coming when traffic started on ipsec.

For the vpn troubleshooting the logging level would need to be increased to information level to get detailed messages as noted in the kb.

Also verify that vpn monitoring is either not in use or adjusted as needed per the later steps.

On the upgrade path, there are maximum jump levels that would need to be observed.  And those files are not publicly available as you note.  This requires opening a service ticket with JTAC support.  The particular versions vary by platform which is why they were running the open sessions a few months back.  But a JTAC ticket can also help parse this as well.

The alternative is to do a clean boot format install on the SRX.  Naturally, this deletes the current configuration so a backup would need to be pulled.  And this would take the device to factory default so local physical access also needed.  But you can format to any version with the upgrade jump maximums in play.

------------------------------
Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
http://puluka.com/home

Original Message:
Sent: 05-19-2024 01:13
From: BALA BALASUNDARAM
Subject: SRX 5400 upgrade path/ packet loss coming when traffic started on ipsec.

Thank you Steve for the prompt reply and really appreciated. 

First issue, for the tunnel up/down, this is only happening when traffic started otherwise tunnel always are up and not fluctuating,   I tested SRX 5800 with same config and it's working fine, so something SRX 5400 it's causing issue but I can't find any alarm on srx 5400 in order to debug, Maybe any card issue or software? This is first time I am testing ipsec on SRX 5400.

This is the reason I am thinking maybe update the software 

I can't see much info on FAQ about the upgrade,   SRX 5400 with Routing engine SRX5k RE-1800X4 recommended load is 

Also I checked on juniper website under download for SRX 5400, only showing load is 12.3 X48 and then showing 19.3 there is no middle releases there, not sure what is the full path in order to reach 21.4.

Curently SRX 5400 running this firmware, JUNOS 12.3X48-D105.4 .

Please suggest how move forward.

------------------------------
BALA BALASUNDARAM

Original Message:
Sent: 05-18-2024 20:34
From: spuluka
Subject: SRX 5400 upgrade path/ packet loss coming when traffic started on ipsec.

For a vpn that is going up/down follow the outline in this kb article to identify the cause.

https://supportportal.juniper.net/s/article/SRX-How-to-troubleshoot-a-VPN-tunnel-that-is-going-up-and-down?language=en_US

Upgrades from the EOL version 12 generally require multiple steps up to a current version.  Check the FAQ and other notes on these old version upgrades from this previous announcement.

https://community.juniper.net/discussion/are-you-still-running-junos-release-12x-14x-15x-or-16x

------------------------------
Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
http://puluka.com/home

Original Message:
Sent: 05-18-2024 17:11
From: BALA BALASUNDARAM
Subject: SRX 5400 upgrade path/ packet loss coming when traffic started on ipsec.

Hi,

I have srx 5400 just recently installed and setup done for ipsec, tunnel is stable if no traffic, but tunnel is going up/down when traffic started.  Traffic is less than 7 GB, but link  BW is 20G, so I don't think this causing issue.

There is no alarm on SRX, 

Could you  please someone suggest, maybe load issue or SCB/SPC issue?

SRX 5400 running on JUNOS 12.3X48-D105.4,  if you think load issue can I upgrade to 19.3R1.8..

Please kindly advice.

Thanks,

Nesan

------------------------------
BALA BALASUNDARAM
------------------------------

Thank you, it means SPC2 not supported for SRX 5400, needs to get a New SPC3 card in order to work? so what is the limitation for SPC2, no throuput at all?  Can I run 1G date on SPC2?  just want to understand.

Thanks alot.

Hi,

One SPC2 model just can cater 5g IPSec throughput only. So u need to change ypur SPC2 to SPC3 since SRX5400 just have limited slot.

Thanks

Thank you so much for the info,  here is the info for SRX 5400. Please kindly advice this spc limitations?

> show chassis fpc
                     Temp  CPU Utilization (%)   Memory    Utilization (%)
Slot State            (C)  Total  Interrupt      DRAM (MB) Heap     Buffer
  0  Online            37     22          0       1024        9         26
  1  Empty
  2  Online            38      4          0       2048       19         18

RE:

Routing Engine 0 REV 02       SRX5k RE-1800X4

CB 0             REV 08             SRX5k SCB II
FPC 0            REV 24             SRX5k SPC II
  CPU                     BUILTIN      BUILTIN           SRX5k DPC PPC

FPC 2            REV 08             SRX5k IOC II
  CPU            REV 02            SRX5k MPC PMB
  MIC 1          REV 07             10x 10GE SFP+

This is the info I got from lab team physical HW info:

Slot 2 -  SRX5K-MPC/SRX-MIC-10XG-SFPP led status: all green

Slot 1 - empty

Slot 1/0  SRX5K-SPC-4-15-320 Led status: all green

Slot 0  SRX5K-SCBE/SRX5K-RE-1800X4 Led status: all green (except master led: blue)

Please kindly advice this spc limitations?

Hi,

What model SPC that u used? SPC2 model have limitation IPSEC tunnel throughput.

Thanks

Thank you Steve again, we are not running any vpn monitoring,   The Main issue on SRX 5400 it's tunnel is not stable when traffic started, the problem is peer dead detection happening due the peer ike unreachable message from remotes site. Why this happening because of srx 5400 kind of congestion, around ~7G data going through that interface link, but as I told you already it's 20G link, I am quite not  sure why srx 5400  making congestion and packet loss coming and then peer ip not reachable once in a while and tunnel going up/down, because BW is 20G.

is there any way I can check on hardware level All the cards working as expected? Also this release JUNOS 12.3X48-D105.4 will support 7G throuput?

Please advice.

------------------------------
BALA BALASUNDARAM

Original Message:
Sent: 05-19-2024 19:36
From: spuluka
Subject: SRX 5400 upgrade path/ packet loss coming when traffic started on ipsec.

For the vpn troubleshooting the logging level would need to be increased to information level to get detailed messages as noted in the kb.

Also verify that vpn monitoring is either not in use or adjusted as needed per the later steps.

On the upgrade path, there are maximum jump levels that would need to be observed.  And those files are not publicly available as you note.  This requires opening a service ticket with JTAC support.  The particular versions vary by platform which is why they were running the open sessions a few months back.  But a JTAC ticket can also help parse this as well.

The alternative is to do a clean boot format install on the SRX.  Naturally, this deletes the current configuration so a backup would need to be pulled.  And this would take the device to factory default so local physical access also needed.  But you can format to any version with the upgrade jump maximums in play.

------------------------------
Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
http://puluka.com/home

Original Message:
Sent: 05-19-2024 01:13
From: BALA BALASUNDARAM
Subject: SRX 5400 upgrade path/ packet loss coming when traffic started on ipsec.

Thank you Steve for the prompt reply and really appreciated. 

First issue, for the tunnel up/down, this is only happening when traffic started otherwise tunnel always are up and not fluctuating,   I tested SRX 5800 with same config and it's working fine, so something SRX 5400 it's causing issue but I can't find any alarm on srx 5400 in order to debug, Maybe any card issue or software? This is first time I am testing ipsec on SRX 5400.

This is the reason I am thinking maybe update the software 

I can't see much info on FAQ about the upgrade,   SRX 5400 with Routing engine SRX5k RE-1800X4 recommended load is 

Also I checked on juniper website under download for SRX 5400, only showing load is 12.3 X48 and then showing 19.3 there is no middle releases there, not sure what is the full path in order to reach 21.4.

Curently SRX 5400 running this firmware, JUNOS 12.3X48-D105.4 .

Please suggest how move forward.

------------------------------
BALA BALASUNDARAM

Original Message:
Sent: 05-18-2024 20:34
From: spuluka
Subject: SRX 5400 upgrade path/ packet loss coming when traffic started on ipsec.

For a vpn that is going up/down follow the outline in this kb article to identify the cause.

https://supportportal.juniper.net/s/article/SRX-How-to-troubleshoot-a-VPN-tunnel-that-is-going-up-and-down?language=en_US

Upgrades from the EOL version 12 generally require multiple steps up to a current version.  Check the FAQ and other notes on these old version upgrades from this previous announcement.

https://community.juniper.net/discussion/are-you-still-running-junos-release-12x-14x-15x-or-16x

------------------------------
Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
http://puluka.com/home

Original Message:
Sent: 05-18-2024 17:11
From: BALA BALASUNDARAM
Subject: SRX 5400 upgrade path/ packet loss coming when traffic started on ipsec.

Hi,

I have srx 5400 just recently installed and setup done for ipsec, tunnel is stable if no traffic, but tunnel is going up/down when traffic started.  Traffic is less than 7 GB, but link  BW is 20G, so I don't think this causing issue.

There is no alarm on SRX, 

Could you  please someone suggest, maybe load issue or SCB/SPC issue?

SRX 5400 running on JUNOS 12.3X48-D105.4,  if you think load issue can I upgrade to 19.3R1.8..

Please kindly advice.

Thanks,

Nesan

------------------------------
BALA BALASUNDARAM
------------------------------

Hi Bala,

First of all i think u need to upgrade your firmware first. If after u upgrade the result is same then possiblity due to maximum limitation SPC2 card. Please take note on SRX5k series all the security feature throughput depend on SPC2 card.

Thanks

Thank you, it means SPC2 not supported for SRX 5400, needs to get a New SPC3 card in order to work? so what is the limitation for SPC2, no throuput at all?  Can I run 1G date on SPC2?  just want to understand.

Thanks alot.

Hi,

One SPC2 model just can cater 5g IPSec throughput only. So u need to change ypur SPC2 to SPC3 since SRX5400 just have limited slot.

Thanks

Thank you so much for the info,  here is the info for SRX 5400. Please kindly advice this spc limitations?

> show chassis fpc
                     Temp  CPU Utilization (%)   Memory    Utilization (%)
Slot State            (C)  Total  Interrupt      DRAM (MB) Heap     Buffer
  0  Online            37     22          0       1024        9         26
  1  Empty
  2  Online            38      4          0       2048       19         18

RE:

Routing Engine 0 REV 02       SRX5k RE-1800X4

CB 0             REV 08             SRX5k SCB II
FPC 0            REV 24             SRX5k SPC II
  CPU                     BUILTIN      BUILTIN           SRX5k DPC PPC

FPC 2            REV 08             SRX5k IOC II
  CPU            REV 02            SRX5k MPC PMB
  MIC 1          REV 07             10x 10GE SFP+

This is the info I got from lab team physical HW info:

Slot 2 -  SRX5K-MPC/SRX-MIC-10XG-SFPP led status: all green

Slot 1 - empty

Slot 1/0  SRX5K-SPC-4-15-320 Led status: all green

Slot 0  SRX5K-SCBE/SRX5K-RE-1800X4 Led status: all green (except master led: blue)

Please kindly advice this spc limitations?

Hi,

What model SPC that u used? SPC2 model have limitation IPSEC tunnel throughput.

Thanks

Thank you Steve again, we are not running any vpn monitoring,   The Main issue on SRX 5400 it's tunnel is not stable when traffic started, the problem is peer dead detection happening due the peer ike unreachable message from remotes site. Why this happening because of srx 5400 kind of congestion, around ~7G data going through that interface link, but as I told you already it's 20G link, I am quite not  sure why srx 5400  making congestion and packet loss coming and then peer ip not reachable once in a while and tunnel going up/down, because BW is 20G.

is there any way I can check on hardware level All the cards working as expected? Also this release JUNOS 12.3X48-D105.4 will support 7G throuput?

Please advice.

------------------------------
BALA BALASUNDARAM

Original Message:
Sent: 05-19-2024 19:36
From: spuluka
Subject: SRX 5400 upgrade path/ packet loss coming when traffic started on ipsec.

For the vpn troubleshooting the logging level would need to be increased to information level to get detailed messages as noted in the kb.

Also verify that vpn monitoring is either not in use or adjusted as needed per the later steps.

On the upgrade path, there are maximum jump levels that would need to be observed.  And those files are not publicly available as you note.  This requires opening a service ticket with JTAC support.  The particular versions vary by platform which is why they were running the open sessions a few months back.  But a JTAC ticket can also help parse this as well.

The alternative is to do a clean boot format install on the SRX.  Naturally, this deletes the current configuration so a backup would need to be pulled.  And this would take the device to factory default so local physical access also needed.  But you can format to any version with the upgrade jump maximums in play.

------------------------------
Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
http://puluka.com/home

Original Message:
Sent: 05-19-2024 01:13
From: BALA BALASUNDARAM
Subject: SRX 5400 upgrade path/ packet loss coming when traffic started on ipsec.

Thank you Steve for the prompt reply and really appreciated. 

First issue, for the tunnel up/down, this is only happening when traffic started otherwise tunnel always are up and not fluctuating,   I tested SRX 5800 with same config and it's working fine, so something SRX 5400 it's causing issue but I can't find any alarm on srx 5400 in order to debug, Maybe any card issue or software? This is first time I am testing ipsec on SRX 5400.

This is the reason I am thinking maybe update the software 

I can't see much info on FAQ about the upgrade,   SRX 5400 with Routing engine SRX5k RE-1800X4 recommended load is 

Also I checked on juniper website under download for SRX 5400, only showing load is 12.3 X48 and then showing 19.3 there is no middle releases there, not sure what is the full path in order to reach 21.4.

Curently SRX 5400 running this firmware, JUNOS 12.3X48-D105.4 .

Please suggest how move forward.

------------------------------
BALA BALASUNDARAM

Original Message:
Sent: 05-18-2024 20:34
From: spuluka
Subject: SRX 5400 upgrade path/ packet loss coming when traffic started on ipsec.

For a vpn that is going up/down follow the outline in this kb article to identify the cause.

https://supportportal.juniper.net/s/article/SRX-How-to-troubleshoot-a-VPN-tunnel-that-is-going-up-and-down?language=en_US

Upgrades from the EOL version 12 generally require multiple steps up to a current version.  Check the FAQ and other notes on these old version upgrades from this previous announcement.

https://community.juniper.net/discussion/are-you-still-running-junos-release-12x-14x-15x-or-16x

------------------------------
Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
http://puluka.com/home

Original Message:
Sent: 05-18-2024 17:11
From: BALA BALASUNDARAM
Subject: SRX 5400 upgrade path/ packet loss coming when traffic started on ipsec.

Hi,

I have srx 5400 just recently installed and setup done for ipsec, tunnel is stable if no traffic, but tunnel is going up/down when traffic started.  Traffic is less than 7 GB, but link  BW is 20G, so I don't think this causing issue.

There is no alarm on SRX, 

Could you  please someone suggest, maybe load issue or SCB/SPC issue?

SRX 5400 running on JUNOS 12.3X48-D105.4,  if you think load issue can I upgrade to 19.3R1.8..

Please kindly advice.

Thanks,

Nesan

------------------------------
BALA BALASUNDARAM
------------------------------

Hi Bala,

First of all i think u need to upgrade your firmware first. If after u upgrade the result is same then possiblity due to maximum limitation SPC2 card. Please take note on SRX5k series all the security feature throughput depend on SPC2 card.

Thanks

Thank you, it means SPC2 not supported for SRX 5400, needs to get a New SPC3 card in order to work? so what is the limitation for SPC2, no throuput at all?  Can I run 1G date on SPC2?  just want to understand.

Thanks alot.

Hi,

One SPC2 model just can cater 5g IPSec throughput only. So u need to change ypur SPC2 to SPC3 since SRX5400 just have limited slot.

Thanks

Thank you so much for the info,  here is the info for SRX 5400. Please kindly advice this spc limitations?

> show chassis fpc
                     Temp  CPU Utilization (%)   Memory    Utilization (%)
Slot State            (C)  Total  Interrupt      DRAM (MB) Heap     Buffer
  0  Online            37     22          0       1024        9         26
  1  Empty
  2  Online            38      4          0       2048       19         18

RE:

Routing Engine 0 REV 02       SRX5k RE-1800X4

CB 0             REV 08             SRX5k SCB II
FPC 0            REV 24             SRX5k SPC II
  CPU                     BUILTIN      BUILTIN           SRX5k DPC PPC

FPC 2            REV 08             SRX5k IOC II
  CPU            REV 02            SRX5k MPC PMB
  MIC 1          REV 07             10x 10GE SFP+

This is the info I got from lab team physical HW info:

Slot 2 -  SRX5K-MPC/SRX-MIC-10XG-SFPP led status: all green

Slot 1 - empty

Slot 1/0  SRX5K-SPC-4-15-320 Led status: all green

Slot 0  SRX5K-SCBE/SRX5K-RE-1800X4 Led status: all green (except master led: blue)

Please kindly advice this spc limitations?

Hi,

What model SPC that u used? SPC2 model have limitation IPSEC tunnel throughput.

Thanks

Thank you Steve again, we are not running any vpn monitoring,   The Main issue on SRX 5400 it's tunnel is not stable when traffic started, the problem is peer dead detection happening due the peer ike unreachable message from remotes site. Why this happening because of srx 5400 kind of congestion, around ~7G data going through that interface link, but as I told you already it's 20G link, I am quite not  sure why srx 5400  making congestion and packet loss coming and then peer ip not reachable once in a while and tunnel going up/down, because BW is 20G.

is there any way I can check on hardware level All the cards working as expected? Also this release JUNOS 12.3X48-D105.4 will support 7G throuput?

Please advice.

------------------------------
BALA BALASUNDARAM

Original Message:
Sent: 05-19-2024 19:36
From: spuluka
Subject: SRX 5400 upgrade path/ packet loss coming when traffic started on ipsec.

For the vpn troubleshooting the logging level would need to be increased to information level to get detailed messages as noted in the kb.

Also verify that vpn monitoring is either not in use or adjusted as needed per the later steps.

On the upgrade path, there are maximum jump levels that would need to be observed.  And those files are not publicly available as you note.  This requires opening a service ticket with JTAC support.  The particular versions vary by platform which is why they were running the open sessions a few months back.  But a JTAC ticket can also help parse this as well.

The alternative is to do a clean boot format install on the SRX.  Naturally, this deletes the current configuration so a backup would need to be pulled.  And this would take the device to factory default so local physical access also needed.  But you can format to any version with the upgrade jump maximums in play.

------------------------------
Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
http://puluka.com/home

Original Message:
Sent: 05-19-2024 01:13
From: BALA BALASUNDARAM
Subject: SRX 5400 upgrade path/ packet loss coming when traffic started on ipsec.

Thank you Steve for the prompt reply and really appreciated. 

First issue, for the tunnel up/down, this is only happening when traffic started otherwise tunnel always are up and not fluctuating,   I tested SRX 5800 with same config and it's working fine, so something SRX 5400 it's causing issue but I can't find any alarm on srx 5400 in order to debug, Maybe any card issue or software? This is first time I am testing ipsec on SRX 5400.

This is the reason I am thinking maybe update the software 

I can't see much info on FAQ about the upgrade,   SRX 5400 with Routing engine SRX5k RE-1800X4 recommended load is 

Also I checked on juniper website under download for SRX 5400, only showing load is 12.3 X48 and then showing 19.3 there is no middle releases there, not sure what is the full path in order to reach 21.4.

Curently SRX 5400 running this firmware, JUNOS 12.3X48-D105.4 .

Please suggest how move forward.

------------------------------
BALA BALASUNDARAM

Original Message:
Sent: 05-18-2024 20:34
From: spuluka
Subject: SRX 5400 upgrade path/ packet loss coming when traffic started on ipsec.

For a vpn that is going up/down follow the outline in this kb article to identify the cause.

https://supportportal.juniper.net/s/article/SRX-How-to-troubleshoot-a-VPN-tunnel-that-is-going-up-and-down?language=en_US

Upgrades from the EOL version 12 generally require multiple steps up to a current version.  Check the FAQ and other notes on these old version upgrades from this previous announcement.

https://community.juniper.net/discussion/are-you-still-running-junos-release-12x-14x-15x-or-16x

------------------------------
Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
http://puluka.com/home

Original Message:
Sent: 05-18-2024 17:11
From: BALA BALASUNDARAM
Subject: SRX 5400 upgrade path/ packet loss coming when traffic started on ipsec.

Hi,

I have srx 5400 just recently installed and setup done for ipsec, tunnel is stable if no traffic, but tunnel is going up/down when traffic started.  Traffic is less than 7 GB, but link  BW is 20G, so I don't think this causing issue.

There is no alarm on SRX, 

Could you  please someone suggest, maybe load issue or SCB/SPC issue?

SRX 5400 running on JUNOS 12.3X48-D105.4,  if you think load issue can I upgrade to 19.3R1.8..

Please kindly advice.

Thanks,

Nesan

------------------------------
BALA BALASUNDARAM
------------------------------

Now srx 5400 is upgraded to 19.3R1.8, but issue still same,  please advice how to move forward.. 

 Model: srx5400
Junos: 19.3R1.8

Thanks

Hi Bala,

First of all i think u need to upgrade your firmware first. If after u upgrade the result is same then possiblity due to maximum limitation SPC2 card. Please take note on SRX5k series all the security feature throughput depend on SPC2 card.

Thanks

Thank you, it means SPC2 not supported for SRX 5400, needs to get a New SPC3 card in order to work? so what is the limitation for SPC2, no throuput at all?  Can I run 1G date on SPC2?  just want to understand.

Thanks alot.

Hi,

One SPC2 model just can cater 5g IPSec throughput only. So u need to change ypur SPC2 to SPC3 since SRX5400 just have limited slot.

Thanks

Thank you so much for the info,  here is the info for SRX 5400. Please kindly advice this spc limitations?

> show chassis fpc
                     Temp  CPU Utilization (%)   Memory    Utilization (%)
Slot State            (C)  Total  Interrupt      DRAM (MB) Heap     Buffer
  0  Online            37     22          0       1024        9         26
  1  Empty
  2  Online            38      4          0       2048       19         18

RE:

Routing Engine 0 REV 02       SRX5k RE-1800X4

CB 0             REV 08             SRX5k SCB II
FPC 0            REV 24             SRX5k SPC II
  CPU                     BUILTIN      BUILTIN           SRX5k DPC PPC

FPC 2            REV 08             SRX5k IOC II
  CPU            REV 02            SRX5k MPC PMB
  MIC 1          REV 07             10x 10GE SFP+

This is the info I got from lab team physical HW info:

Slot 2 -  SRX5K-MPC/SRX-MIC-10XG-SFPP led status: all green

Slot 1 - empty

Slot 1/0  SRX5K-SPC-4-15-320 Led status: all green

Slot 0  SRX5K-SCBE/SRX5K-RE-1800X4 Led status: all green (except master led: blue)

Please kindly advice this spc limitations?

Hi,

What model SPC that u used? SPC2 model have limitation IPSEC tunnel throughput.

Thanks

Thank you Steve again, we are not running any vpn monitoring,   The Main issue on SRX 5400 it's tunnel is not stable when traffic started, the problem is peer dead detection happening due the peer ike unreachable message from remotes site. Why this happening because of srx 5400 kind of congestion, around ~7G data going through that interface link, but as I told you already it's 20G link, I am quite not  sure why srx 5400  making congestion and packet loss coming and then peer ip not reachable once in a while and tunnel going up/down, because BW is 20G.

is there any way I can check on hardware level All the cards working as expected? Also this release JUNOS 12.3X48-D105.4 will support 7G throuput?

Please advice.

------------------------------
BALA BALASUNDARAM

Original Message:
Sent: 05-19-2024 19:36
From: spuluka
Subject: SRX 5400 upgrade path/ packet loss coming when traffic started on ipsec.

For the vpn troubleshooting the logging level would need to be increased to information level to get detailed messages as noted in the kb.

Also verify that vpn monitoring is either not in use or adjusted as needed per the later steps.

On the upgrade path, there are maximum jump levels that would need to be observed.  And those files are not publicly available as you note.  This requires opening a service ticket with JTAC support.  The particular versions vary by platform which is why they were running the open sessions a few months back.  But a JTAC ticket can also help parse this as well.

The alternative is to do a clean boot format install on the SRX.  Naturally, this deletes the current configuration so a backup would need to be pulled.  And this would take the device to factory default so local physical access also needed.  But you can format to any version with the upgrade jump maximums in play.

------------------------------
Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
http://puluka.com/home

Original Message:
Sent: 05-19-2024 01:13
From: BALA BALASUNDARAM
Subject: SRX 5400 upgrade path/ packet loss coming when traffic started on ipsec.

Thank you Steve for the prompt reply and really appreciated. 

First issue, for the tunnel up/down, this is only happening when traffic started otherwise tunnel always are up and not fluctuating,   I tested SRX 5800 with same config and it's working fine, so something SRX 5400 it's causing issue but I can't find any alarm on srx 5400 in order to debug, Maybe any card issue or software? This is first time I am testing ipsec on SRX 5400.

This is the reason I am thinking maybe update the software 

I can't see much info on FAQ about the upgrade,   SRX 5400 with Routing engine SRX5k RE-1800X4 recommended load is 

Also I checked on juniper website under download for SRX 5400, only showing load is 12.3 X48 and then showing 19.3 there is no middle releases there, not sure what is the full path in order to reach 21.4.

Curently SRX 5400 running this firmware, JUNOS 12.3X48-D105.4 .

Please suggest how move forward.

------------------------------
BALA BALASUNDARAM

Original Message:
Sent: 05-18-2024 20:34
From: spuluka
Subject: SRX 5400 upgrade path/ packet loss coming when traffic started on ipsec.

For a vpn that is going up/down follow the outline in this kb article to identify the cause.

https://supportportal.juniper.net/s/article/SRX-How-to-troubleshoot-a-VPN-tunnel-that-is-going-up-and-down?language=en_US

Upgrades from the EOL version 12 generally require multiple steps up to a current version.  Check the FAQ and other notes on these old version upgrades from this previous announcement.

https://community.juniper.net/discussion/are-you-still-running-junos-release-12x-14x-15x-or-16x

------------------------------
Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
http://puluka.com/home

Original Message:
Sent: 05-18-2024 17:11
From: BALA BALASUNDARAM
Subject: SRX 5400 upgrade path/ packet loss coming when traffic started on ipsec.

Hi,

I have srx 5400 just recently installed and setup done for ipsec, tunnel is stable if no traffic, but tunnel is going up/down when traffic started.  Traffic is less than 7 GB, but link  BW is 20G, so I don't think this causing issue.

There is no alarm on SRX, 

Could you  please someone suggest, maybe load issue or SCB/SPC issue?

SRX 5400 running on JUNOS 12.3X48-D105.4,  if you think load issue can I upgrade to 19.3R1.8..

Please kindly advice.

Thanks,

Nesan

------------------------------
BALA BALASUNDARAM
------------------------------

Now srx 5400 is upgraded to 19.3R1.8, but issue still same,  please advice how to move forward.. 

 Model: srx5400
Junos: 19.3R1.8

Thanks

Hi Bala,

First of all i think u need to upgrade your firmware first. If after u upgrade the result is same then possiblity due to maximum limitation SPC2 card. Please take note on SRX5k series all the security feature throughput depend on SPC2 card.

Thanks

Thank you, it means SPC2 not supported for SRX 5400, needs to get a New SPC3 card in order to work? so what is the limitation for SPC2, no throuput at all?  Can I run 1G date on SPC2?  just want to understand.

Thanks alot.

Hi,

One SPC2 model just can cater 5g IPSec throughput only. So u need to change ypur SPC2 to SPC3 since SRX5400 just have limited slot.

Thanks

Thank you so much for the info,  here is the info for SRX 5400. Please kindly advice this spc limitations?

> show chassis fpc
                     Temp  CPU Utilization (%)   Memory    Utilization (%)
Slot State            (C)  Total  Interrupt      DRAM (MB) Heap     Buffer
  0  Online            37     22          0       1024        9         26
  1  Empty
  2  Online            38      4          0       2048       19         18

RE:

Routing Engine 0 REV 02       SRX5k RE-1800X4

CB 0             REV 08             SRX5k SCB II
FPC 0            REV 24             SRX5k SPC II
  CPU                     BUILTIN      BUILTIN           SRX5k DPC PPC

FPC 2            REV 08             SRX5k IOC II
  CPU            REV 02            SRX5k MPC PMB
  MIC 1          REV 07             10x 10GE SFP+

This is the info I got from lab team physical HW info:

Slot 2 -  SRX5K-MPC/SRX-MIC-10XG-SFPP led status: all green

Slot 1 - empty

Slot 1/0  SRX5K-SPC-4-15-320 Led status: all green

Slot 0  SRX5K-SCBE/SRX5K-RE-1800X4 Led status: all green (except master led: blue)

Please kindly advice this spc limitations?

Hi,

What model SPC that u used? SPC2 model have limitation IPSEC tunnel throughput.

Thanks

Thank you Steve again, we are not running any vpn monitoring,   The Main issue on SRX 5400 it's tunnel is not stable when traffic started, the problem is peer dead detection happening due the peer ike unreachable message from remotes site. Why this happening because of srx 5400 kind of congestion, around ~7G data going through that interface link, but as I told you already it's 20G link, I am quite not  sure why srx 5400  making congestion and packet loss coming and then peer ip not reachable once in a while and tunnel going up/down, because BW is 20G.

is there any way I can check on hardware level All the cards working as expected? Also this release JUNOS 12.3X48-D105.4 will support 7G throuput?

Please advice.

------------------------------
BALA BALASUNDARAM

Original Message:
Sent: 05-19-2024 19:36
From: spuluka
Subject: SRX 5400 upgrade path/ packet loss coming when traffic started on ipsec.

For the vpn troubleshooting the logging level would need to be increased to information level to get detailed messages as noted in the kb.

Also verify that vpn monitoring is either not in use or adjusted as needed per the later steps.

On the upgrade path, there are maximum jump levels that would need to be observed.  And those files are not publicly available as you note.  This requires opening a service ticket with JTAC support.  The particular versions vary by platform which is why they were running the open sessions a few months back.  But a JTAC ticket can also help parse this as well.

The alternative is to do a clean boot format install on the SRX.  Naturally, this deletes the current configuration so a backup would need to be pulled.  And this would take the device to factory default so local physical access also needed.  But you can format to any version with the upgrade jump maximums in play.

------------------------------
Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
http://puluka.com/home

Original Message:
Sent: 05-19-2024 01:13
From: BALA BALASUNDARAM
Subject: SRX 5400 upgrade path/ packet loss coming when traffic started on ipsec.

Thank you Steve for the prompt reply and really appreciated. 

First issue, for the tunnel up/down, this is only happening when traffic started otherwise tunnel always are up and not fluctuating,   I tested SRX 5800 with same config and it's working fine, so something SRX 5400 it's causing issue but I can't find any alarm on srx 5400 in order to debug, Maybe any card issue or software? This is first time I am testing ipsec on SRX 5400.

This is the reason I am thinking maybe update the software 

I can't see much info on FAQ about the upgrade,   SRX 5400 with Routing engine SRX5k RE-1800X4 recommended load is 

Also I checked on juniper website under download for SRX 5400, only showing load is 12.3 X48 and then showing 19.3 there is no middle releases there, not sure what is the full path in order to reach 21.4.

Curently SRX 5400 running this firmware, JUNOS 12.3X48-D105.4 .

Please suggest how move forward.

------------------------------
BALA BALASUNDARAM

Original Message:
Sent: 05-18-2024 20:34
From: spuluka
Subject: SRX 5400 upgrade path/ packet loss coming when traffic started on ipsec.

For a vpn that is going up/down follow the outline in this kb article to identify the cause.

https://supportportal.juniper.net/s/article/SRX-How-to-troubleshoot-a-VPN-tunnel-that-is-going-up-and-down?language=en_US

Upgrades from the EOL version 12 generally require multiple steps up to a current version.  Check the FAQ and other notes on these old version upgrades from this previous announcement.

https://community.juniper.net/discussion/are-you-still-running-junos-release-12x-14x-15x-or-16x

------------------------------
Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
http://puluka.com/home

Original Message:
Sent: 05-18-2024 17:11
From: BALA BALASUNDARAM
Subject: SRX 5400 upgrade path/ packet loss coming when traffic started on ipsec.

Hi,

I have srx 5400 just recently installed and setup done for ipsec, tunnel is stable if no traffic, but tunnel is going up/down when traffic started.  Traffic is less than 7 GB, but link  BW is 20G, so I don't think this causing issue.

There is no alarm on SRX, 

Could you  please someone suggest, maybe load issue or SCB/SPC issue?

SRX 5400 running on JUNOS 12.3X48-D105.4,  if you think load issue can I upgrade to 19.3R1.8..

Please kindly advice.

Thanks,

Nesan

------------------------------
BALA BALASUNDARAM
------------------------------

Now srx 5400 is upgraded to 19.3R1.8, but issue still same,  please advice how to move forward.. 

 Model: srx5400
Junos: 19.3R1.8

Thanks

Hi Bala,

First of all i think u need to upgrade your firmware first. If after u upgrade the result is same then possiblity due to maximum limitation SPC2 card. Please take note on SRX5k series all the security feature throughput depend on SPC2 card.

Thanks

Thank you, it means SPC2 not supported for SRX 5400, needs to get a New SPC3 card in order to work? so what is the limitation for SPC2, no throuput at all?  Can I run 1G date on SPC2?  just want to understand.

Thanks alot.

Hi,

One SPC2 model just can cater 5g IPSec throughput only. So u need to change ypur SPC2 to SPC3 since SRX5400 just have limited slot.

Thanks

Thank you so much for the info,  here is the info for SRX 5400. Please kindly advice this spc limitations?

> show chassis fpc
                     Temp  CPU Utilization (%)   Memory    Utilization (%)
Slot State            (C)  Total  Interrupt      DRAM (MB) Heap     Buffer
  0  Online            37     22          0       1024        9         26
  1  Empty
  2  Online            38      4          0       2048       19         18

RE:

Routing Engine 0 REV 02       SRX5k RE-1800X4

CB 0             REV 08             SRX5k SCB II
FPC 0            REV 24             SRX5k SPC II
  CPU                     BUILTIN      BUILTIN           SRX5k DPC PPC

FPC 2            REV 08             SRX5k IOC II
  CPU            REV 02            SRX5k MPC PMB
  MIC 1          REV 07             10x 10GE SFP+

This is the info I got from lab team physical HW info:

Slot 2 -  SRX5K-MPC/SRX-MIC-10XG-SFPP led status: all green

Slot 1 - empty

Slot 1/0  SRX5K-SPC-4-15-320 Led status: all green

Slot 0  SRX5K-SCBE/SRX5K-RE-1800X4 Led status: all green (except master led: blue)

Please kindly advice this spc limitations?

Hi,

What model SPC that u used? SPC2 model have limitation IPSEC tunnel throughput.

Thanks

Thank you Steve again, we are not running any vpn monitoring,   The Main issue on SRX 5400 it's tunnel is not stable when traffic started, the problem is peer dead detection happening due the peer ike unreachable message from remotes site. Why this happening because of srx 5400 kind of congestion, around ~7G data going through that interface link, but as I told you already it's 20G link, I am quite not  sure why srx 5400  making congestion and packet loss coming and then peer ip not reachable once in a while and tunnel going up/down, because BW is 20G.

is there any way I can check on hardware level All the cards working as expected? Also this release JUNOS 12.3X48-D105.4 will support 7G throuput?

Please advice.

------------------------------
BALA BALASUNDARAM

Original Message:
Sent: 05-19-2024 19:36
From: spuluka
Subject: SRX 5400 upgrade path/ packet loss coming when traffic started on ipsec.

For the vpn troubleshooting the logging level would need to be increased to information level to get detailed messages as noted in the kb.

Also verify that vpn monitoring is either not in use or adjusted as needed per the later steps.

On the upgrade path, there are maximum jump levels that would need to be observed.  And those files are not publicly available as you note.  This requires opening a service ticket with JTAC support.  The particular versions vary by platform which is why they were running the open sessions a few months back.  But a JTAC ticket can also help parse this as well.

The alternative is to do a clean boot format install on the SRX.  Naturally, this deletes the current configuration so a backup would need to be pulled.  And this would take the device to factory default so local physical access also needed.  But you can format to any version with the upgrade jump maximums in play.

------------------------------
Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
http://puluka.com/home

Original Message:
Sent: 05-19-2024 01:13
From: BALA BALASUNDARAM
Subject: SRX 5400 upgrade path/ packet loss coming when traffic started on ipsec.

Thank you Steve for the prompt reply and really appreciated. 

First issue, for the tunnel up/down, this is only happening when traffic started otherwise tunnel always are up and not fluctuating,   I tested SRX 5800 with same config and it's working fine, so something SRX 5400 it's causing issue but I can't find any alarm on srx 5400 in order to debug, Maybe any card issue or software? This is first time I am testing ipsec on SRX 5400.

This is the reason I am thinking maybe update the software 

I can't see much info on FAQ about the upgrade,   SRX 5400 with Routing engine SRX5k RE-1800X4 recommended load is 

Also I checked on juniper website under download for SRX 5400, only showing load is 12.3 X48 and then showing 19.3 there is no middle releases there, not sure what is the full path in order to reach 21.4.

Curently SRX 5400 running this firmware, JUNOS 12.3X48-D105.4 .

Please suggest how move forward.

------------------------------
BALA BALASUNDARAM

Original Message:
Sent: 05-18-2024 20:34
From: spuluka
Subject: SRX 5400 upgrade path/ packet loss coming when traffic started on ipsec.

For a vpn that is going up/down follow the outline in this kb article to identify the cause.

https://supportportal.juniper.net/s/article/SRX-How-to-troubleshoot-a-VPN-tunnel-that-is-going-up-and-down?language=en_US

Upgrades from the EOL version 12 generally require multiple steps up to a current version.  Check the FAQ and other notes on these old version upgrades from this previous announcement.

https://community.juniper.net/discussion/are-you-still-running-junos-release-12x-14x-15x-or-16x

------------------------------
Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
http://puluka.com/home

Original Message:
Sent: 05-18-2024 17:11
From: BALA BALASUNDARAM
Subject: SRX 5400 upgrade path/ packet loss coming when traffic started on ipsec.

Hi,

I have srx 5400 just recently installed and setup done for ipsec, tunnel is stable if no traffic, but tunnel is going up/down when traffic started.  Traffic is less than 7 GB, but link  BW is 20G, so I don't think this causing issue.

There is no alarm on SRX, 

Could you  please someone suggest, maybe load issue or SCB/SPC issue?

SRX 5400 running on JUNOS 12.3X48-D105.4,  if you think load issue can I upgrade to 19.3R1.8..

Please kindly advice.

Thanks,

Nesan

------------------------------
BALA BALASUNDARAM
------------------------------

Hi Bala,

First of all i think u need to upgrade your firmware first. If after u upgrade the result is same then possiblity due to maximum limitation SPC2 card. Please take note on SRX5k series all the security feature throughput depend on SPC2 card.

Thanks

Original Message:
Sent: 05-20-2024 21:00
From: BALA BALASUNDARAM
Subject: SRX 5400 upgrade path/ packet loss coming when traffic started on ipsec.

Thank you, it means SPC2 not supported for SRX 5400, needs to get a New SPC3 card in order to work? so what is the limitation for SPC2, no throuput at all?  Can I run 1G date on SPC2?  just want to understand.

Thanks alot.

------------------------------
BALA BALASUNDARAM

Original Message:
Sent: 05-20-2024 12:26
From: kronicklez
Subject: SRX 5400 upgrade path/ packet loss coming when traffic started on ipsec.

Hi,

One SPC2 model just can cater 5g IPSec throughput only. So u need to change ypur SPC2 to SPC3 since SRX5400 just have limited slot.

Thanks

Original Message:
Sent: 05-20-2024 12:18
From: BALA BALASUNDARAM
Subject: SRX 5400 upgrade path/ packet loss coming when traffic started on ipsec.

Thank you so much for the info,  here is the info for SRX 5400. Please kindly advice this spc limitations?

> show chassis fpc
                     Temp  CPU Utilization (%)   Memory    Utilization (%)
Slot State            (C)  Total  Interrupt      DRAM (MB) Heap     Buffer
  0  Online            37     22          0       1024        9         26
  1  Empty
  2  Online            38      4          0       2048       19         18

RE:

Routing Engine 0 REV 02       SRX5k RE-1800X4

CB 0             REV 08             SRX5k SCB II
FPC 0            REV 24             SRX5k SPC II
  CPU                     BUILTIN      BUILTIN           SRX5k DPC PPC

FPC 2            REV 08             SRX5k IOC II
  CPU            REV 02            SRX5k MPC PMB
  MIC 1          REV 07             10x 10GE SFP+

This is the info I got from lab team physical HW info:

Slot 2 -  SRX5K-MPC/SRX-MIC-10XG-SFPP led status: all green

Slot 1 - empty

Slot 1/0  SRX5K-SPC-4-15-320 Led status: all green

Slot 0  SRX5K-SCBE/SRX5K-RE-1800X4 Led status: all green (except master led: blue)

Please kindly advice this spc limitations?

------------------------------
BALA BALASUNDARAM

Original Message:
Sent: 05-20-2024 05:35
From: kronicklez
Subject: SRX 5400 upgrade path/ packet loss coming when traffic started on ipsec.

Hi,

What model SPC that u used? SPC2 model have limitation IPSEC tunnel throughput.

Thanks

Original Message:
Sent: 05-20-2024 01:14
From: BALA BALASUNDARAM
Subject: SRX 5400 upgrade path/ packet loss coming when traffic started on ipsec.

Thank you Steve again, we are not running any vpn monitoring,   The Main issue on SRX 5400 it's tunnel is not stable when traffic started, the problem is peer dead detection happening due the peer ike unreachable message from remotes site. Why this happening because of srx 5400 kind of congestion, around ~7G data going through that interface link, but as I told you already it's 20G link, I am quite not  sure why srx 5400  making congestion and packet loss coming and then peer ip not reachable once in a while and tunnel going up/down, because BW is 20G.

is there any way I can check on hardware level All the cards working as expected? Also this release JUNOS 12.3X48-D105.4 will support 7G throuput?

Please advice.

------------------------------
BALA BALASUNDARAM

Original Message:
Sent: 05-19-2024 19:36
From: spuluka
Subject: SRX 5400 upgrade path/ packet loss coming when traffic started on ipsec.

For the vpn troubleshooting the logging level would need to be increased to information level to get detailed messages as noted in the kb.

Also verify that vpn monitoring is either not in use or adjusted as needed per the later steps.

On the upgrade path, there are maximum jump levels that would need to be observed.  And those files are not publicly available as you note.  This requires opening a service ticket with JTAC support.  The particular versions vary by platform which is why they were running the open sessions a few months back.  But a JTAC ticket can also help parse this as well.

The alternative is to do a clean boot format install on the SRX.  Naturally, this deletes the current configuration so a backup would need to be pulled.  And this would take the device to factory default so local physical access also needed.  But you can format to any version with the upgrade jump maximums in play.

------------------------------
Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
http://puluka.com/home

Original Message:
Sent: 05-19-2024 01:13
From: BALA BALASUNDARAM
Subject: SRX 5400 upgrade path/ packet loss coming when traffic started on ipsec.

Thank you Steve for the prompt reply and really appreciated. 

First issue, for the tunnel up/down, this is only happening when traffic started otherwise tunnel always are up and not fluctuating,   I tested SRX 5800 with same config and it's working fine, so something SRX 5400 it's causing issue but I can't find any alarm on srx 5400 in order to debug, Maybe any card issue or software? This is first time I am testing ipsec on SRX 5400.

This is the reason I am thinking maybe update the software 

I can't see much info on FAQ about the upgrade,   SRX 5400 with Routing engine SRX5k RE-1800X4 recommended load is 

Also I checked on juniper website under download for SRX 5400, only showing load is 12.3 X48 and then showing 19.3 there is no middle releases there, not sure what is the full path in order to reach 21.4.

Curently SRX 5400 running this firmware, JUNOS 12.3X48-D105.4 .

Please suggest how move forward.

------------------------------
BALA BALASUNDARAM

Original Message:
Sent: 05-18-2024 20:34
From: spuluka
Subject: SRX 5400 upgrade path/ packet loss coming when traffic started on ipsec.

For a vpn that is going up/down follow the outline in this kb article to identify the cause.

https://supportportal.juniper.net/s/article/SRX-How-to-troubleshoot-a-VPN-tunnel-that-is-going-up-and-down?language=en_US

Upgrades from the EOL version 12 generally require multiple steps up to a current version.  Check the FAQ and other notes on these old version upgrades from this previous announcement.

https://community.juniper.net/discussion/are-you-still-running-junos-release-12x-14x-15x-or-16x

------------------------------
Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
http://puluka.com/home

Original Message:
Sent: 05-18-2024 17:11
From: BALA BALASUNDARAM
Subject: SRX 5400 upgrade path/ packet loss coming when traffic started on ipsec.

Hi,

I have srx 5400 just recently installed and setup done for ipsec, tunnel is stable if no traffic, but tunnel is going up/down when traffic started.  Traffic is less than 7 GB, but link  BW is 20G, so I don't think this causing issue.

There is no alarm on SRX, 

Could you  please someone suggest, maybe load issue or SCB/SPC issue?

SRX 5400 running on JUNOS 12.3X48-D105.4,  if you think load issue can I upgrade to 19.3R1.8..

Please kindly advice.

Thanks,

Nesan

------------------------------
BALA BALASUNDARAM
------------------------------