04-12-2012 11:03 AM
The graphic attached does a good job of explaining my issue. We have a Juniper SSG5 router segregating our networks, but occasionally we need to copy files from Zone 3 to Zone 1 (our main Trust Zone) -- See the graphic to tell where the zones are. Notice the Trust Zone is 3 Ethernet ports configured as a "BGroup" or "Bridge Group" (they act like a Layer 2 switch). When we attempt this copy, it consistently copies across around 64 KBps (512 Kbps), which is extremely slow. We have a mixed switch environment, but I narrowed the issue down to the Juniper by using two laptops as shown in the image; When both are on ports in the same BGroup0, file copies fly. But when the only thing I change is moving one laptop to the last port my speed drops drastically.
We have no traffic shaping of any kind set. The only firewall policies are to let any service travel between the two zones (e.g. Permit ANY ANY). The zones are part of the same virtual router, so the one big difference between file copies is that traffic is fast when it's only switched, but when it's slow it's actually being routed, and they are on different subnets [192.168.16.x vs 10.2.2.x]. But it shouldn't be that slow! I've tried with the Juniper port settings at Auto-Negotiate and also manually at 100Mb/Full-Duplex, but neither had an effect. Also, Deep Inspection is off.
We have a spare SSG5 and swapped out the hardware, and even upgraded the firmware. No effect.
My second diagram is more extensive, and shows the speeds of laptops placed throughout the network, and after I took Port 0/4 away from BGroup0 and added it (and Port 0/6) to BGroup1, which has Zone 3 policy applied.
I'm not sure what else to let you know; I've scoured the Juniper web config and almost anything to do with traffic shaping or priority or Class-Of-Service is all disabled. I tested enabling it and raising priority for Zone 3 traffic but it didn't help at all. This is driving me crazy. Any helpful suggestions are appreciated.
Solved! Go to Solution.
04-12-2012 11:05 AM
Also, please see the attached config file. I cleaned it up a bit... my WAN IP's are listed as 1.2.3.x, my domain is MyDomain.com, etc.
The hardware version is 710(0)
Firmware version is 6.3.0r10.0
04-12-2012 11:21 AM
Now check this diagram . . . I copied back to the Zone 3 laptop directly connected to the Juniper from my Trust Zone PC off the Cisco switches, and it went through super fast.
I copied from the same Trust Zone PC to the one deep within Zone 3, and it went through at 14 Mbps . . . still slow, but not as slow as moving the files back the other direction. Very weird.
This diagram looks like the RuggedCom switches are the problem, but my other diagram indicates the Juniper is the issue. Although both diagrams together telling me that uploads vs downloads between devices are DIFFERENT more points to the device doing routing, like maybe it's doing traffic inspection or applying policies it shouldn't be... even though my policies are pretty clear to allow all traffic with no shaping.
04-12-2012 02:37 PM
Just a thought reading your post poorly: Did you try to set the interfaces on bothsides fixed to full duplex and 100 Mbit? It sounds like a mismatch to me.
JNCIA IDP AC WX JNCIS FW SSL JNCIP SEC ENT SP JNCI
If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
04-13-2012 07:09 AM
Actually it turns out the issue wasn't with the Juniper at all. I just fixed it by assigning a static IP route on the PC in Zone 3 to tell it to go through the Juniper to get to the Zone 1 subnet. After that, copies across the network went blazing fast.
That doesn't make sense from a networking perspective, since it still had its default route set to the Juniper gateway, and we know it established a TCP connection before, it just was super slow for some reason. I'm thinking this is a Windows Networking quirk?