SRX

Hi,

I have several hundred SRX300, some of them in cluster mode, they all worked on 15 version. A few weeks ago, I started updating them to the recommended version - 21.4R3-S4 and after the update I noticed that performance decreased. Decreased in part of IPsec. We received user complaints and alerts from monitoring systems about SPU utilization

------------------------------
Omar Dzag
------------------------------

Out of curiosity, what is the 15 version you're using?

(I've got nothing; it's been a few years since I've had a firewall on 15, and don't recall a performance dip.)

------------------------------
Nikolay Semov
------------------------------

Original Message:
Sent: 04-25-2024 02:22
From: Omar Dzag
Subject: SRX300 - Slow performance after update

Hi,

I have several hundred SRX300, some of them in cluster mode, they all worked on 15 version. A few weeks ago, I started updating them to the recommended version - 21.4R3-S4 and after the update I noticed that performance decreased. Decreased in part of IPsec. We received user complaints and alerts from monitoring systems about SPU utilization

The configuration remains exactly the same.

I started to figure it out and test load(iperf2 – 10 Mbit/s UDP one way flow) the SRXs and came up with this rule – SRX300 on 15 version 10 Mbit/s equivalent ~ 10% of SPU utilization, on 21 version equivalent ~ 25-30% of SPU utilization! We are talking about the same equipment and same configuration. I repeated this on version 20, the result was the same as on version 21.

I tried switching to GCM encryption, but it didn't help.

Perhaps someone has encountered this and can help. Thank you.

------------------------------
Omar Dzag
------------------------------

JUNOS Software Release [15.1X49-D211]
JUNOS Software Release [15.1X49-D200.3]
JUNOS Software Release [15.1X49-D170.4]
JUNOS Software Release [15.1X49-D60.7]
JUNOS Software Release [15.1X49-D120.3]
JUNOS Software Release [15.1X49-D160.2]
JUNOS Software Release [15.1X49-D70.3]

------------------------------
Omar Dzag
------------------------------

Original Message:
Sent: 04-25-2024 17:43
From: Nikolay Semov
Subject: SRX300 - Slow performance after update

Out of curiosity, what is the 15 version you're using?

(I've got nothing; it's been a few years since I've had a firewall on 15, and don't recall a performance dip.)

------------------------------
Nikolay Semov

Original Message:
Sent: 04-25-2024 02:22
From: Omar Dzag
Subject: SRX300 - Slow performance after update

Hi,

I have several hundred SRX300, some of them in cluster mode, they all worked on 15 version. A few weeks ago, I started updating them to the recommended version - 21.4R3-S4 and after the update I noticed that performance decreased. Decreased in part of IPsec. We received user complaints and alerts from monitoring systems about SPU utilization

The configuration remains exactly the same.

I started to figure it out and test load(iperf2 – 10 Mbit/s UDP one way flow) the SRXs and came up with this rule – SRX300 on 15 version 10 Mbit/s equivalent ~ 10% of SPU utilization, on 21 version equivalent ~ 25-30% of SPU utilization! We are talking about the same equipment and same configuration. I repeated this on version 20, the result was the same as on version 21.

I tried switching to GCM encryption, but it didn't help.

Perhaps someone has encountered this and can help. Thank you.

------------------------------
Omar Dzag
------------------------------

There is a PR 1692526 which probably has something to do with this. The PR is not public, because no customer has reported it yet. It increases SPU utilization, and crashes it eventually. The trigger of this is the firewall events that SPU has to process for a logical interface, i.e. tunnel, loopback etc. In other words, if you have high number of firewall filters applied to logical interfaces like tunnel, Loopback interfaces (I have reason to believe that it is applicable to firewall filters applied on IFLs as well), you will face high SPU utilization and it can lead to crash in some scenario. You mentioned that you have IPsec implementation, probably this is the one that is affecting you. 

Note: I do not have the configuration, or details about the full setup, so this is just a guess. Please open a case with JTAC to verify.

------------------------------
Sougata Ray

**Please note upgrade guidance might not be complete for all implementation/configurations. Before proceeding with an update please ensure you have tested in a lab environment and/or a backup copy of the original configuration. If urgent assistance is needed, please open a JTAC ticket (Only an option until July 1, 2023 for upgrading Junos 10-11-13).**
------------------------------

Original Message:
Sent: 04-25-2024 02:22
From: Omar Dzag
Subject: SRX300 - Slow performance after update

Hi,

I have several hundred SRX300, some of them in cluster mode, they all worked on 15 version. A few weeks ago, I started updating them to the recommended version - 21.4R3-S4 and after the update I noticed that performance decreased. Decreased in part of IPsec. We received user complaints and alerts from monitoring systems about SPU utilization

The configuration remains exactly the same.

I started to figure it out and test load(iperf2 – 10 Mbit/s UDP one way flow) the SRXs and came up with this rule – SRX300 on 15 version 10 Mbit/s equivalent ~ 10% of SPU utilization, on 21 version equivalent ~ 25-30% of SPU utilization! We are talking about the same equipment and same configuration. I repeated this on version 20, the result was the same as on version 21.

I tried switching to GCM encryption, but it didn't help.

Perhaps someone has encountered this and can help. Thank you.

------------------------------
Omar Dzag
------------------------------