SRX Services Gateway
Showing results for 
Search instead for 
Do you mean 
Reply
Contributor
Posts: 61
Registered: ‎05-11-2010
0

SRX 210 performance problem

My client just deployed SRX210 in their remote-office, this SRX has 10M Internet connection, client verify the speed by attaching PC directly to service provider's Ethernet drop, however PCs connected to EX200 (which is connected to SRX210) are only getting 1M up/down bandwidth, I checked SRX's internet facing interface, there is no errors, the traffic seemed to be throttled somewhere. Configuration of this SRX210 can not be simpler, just NAT/firewall and DHCP configuration, nothing advanced, at all.

 

The other problem we have with SRX210 is, SSH sessions from inside to outside will disconnect after several minutes of in-activity, we did not set any connection specific timers.

 

Thanks,

Trusted Contributor
Posts: 236
Registered: ‎06-11-2010
0

Re: SRX 210 performance problem

What firmware are you running on the SRX?  Have you verified that the issue is the SRX by directly connecting a client to it?  Are you able to post a configuration file?

Contributor
Posts: 61
Registered: ‎05-11-2010
0

Re: SRX 210 performance problem

It is running 10.1R2.8, according to the client, regular PCs behind EX200/SRX210 is very slow, but laptop directly connected to ISP is fine. I don't have remote access to the router right now, which part of configuration you think might be causing problem? as I said, the router just has two active interface, one facing ISP, the other one facing EX200, and simple PAT rule, everything else is default.

Contributor
Posts: 61
Registered: ‎05-11-2010
0

Re: SRX 210 performance problem

OK, I have new findings, the untrust FE interface(facing internet) is configured as 10m, full-duplex (requested by ISP), CLI output of "show interface fe-0/0/3" shows that link mode is half-duplex, but GUI shows that this interface is full-duplex, which one should I trust?

Contributor
Posts: 10
Registered: ‎05-17-2010
0

Re: SRX 210 performance problem

[ Edited ]

Trust the CLI output.  Hard code the duplex to match on both sides and your problems will probably go away.

Trusted Contributor
Posts: 236
Registered: ‎06-11-2010
0

Re: SRX 210 performance problem

10m full-duplex is the correct configuration for the speed you specified.  Leave it at auto especially given that you have no control over what the ISP sets at their end of the connection.  Given my understanding of the situation I think it's worth repeating that we know the internet works fine when directly connected but we're still not sure if it works fine directly through the SRX.  If it does then we know that the EX2200 is at fault.

Contributor
Posts: 61
Registered: ‎05-11-2010
0

Re: SRX 210 performance problem

Speed and link-mode are already hard coded on SRX210 (10M & Full-duplex), ISP side is an un-managed switch, I can not believe why such a basic issue exists in SRX210, it is very frustrating.

Contributor
Posts: 61
Registered: ‎05-11-2010
0

Re: SRX 210 performance problem

We can certainly try, but I want to get half-duplex problem resolved first.

Super Contributor
Posts: 206
Registered: ‎03-11-2008
0

Re: SRX 210 performance problem

Try auto-negotiation then. I've found sometimes this works better, depending on the hardware.

Visitor
Posts: 7
Registered: ‎05-27-2010
0

Re: SRX 210 performance problem

auto-negotiation is one of the solutions.

 

Make sure it is the issue with the SRX performance. Connect a laptop directly to SRX and check.

 

Check the duplex b/w SRX and EX-200.

 

Disable the firewall and check at SRX and check.

 

Thanks,

Learner

Trusted Contributor
Posts: 330
Registered: ‎01-08-2010
0

Re: SRX 210 performance problem

Are you using one of the GE ports for the ISP connection?

 

If you use one of the two gigabit interfaces you must go under the Gigabit options to correctly disable auto negotiate or you get strange results no mater what your speed and link-mode are.

 

Your interface should look something like this for a proper 10 FULL duplex link using a GE interface.. My ISP connections are the same, they are always 10 Full fixed since they use Cisco gear and Cisco almost never auto negotiates with anything but other Cisco gear reliably.

 

 

ge-0/0/1 {
        speed 10m;
        link-mode full-duplex;
        gigether-options {
            no-auto-negotiation;
        }
        unit 0 {
            family inet {
                address 10.0.0.1/30;
            }
        }
    }

 

 

Highlighted
Contributor
Posts: 61
Registered: ‎05-11-2010
0

Re: SRX 210 performance problem

Thanks, unfortunately, we are using FE, we were instructed by ISP to use 10M, Full-duplex on our side, not sure why SRX still operates in half-duplex mode.

Trusted Contributor
Posts: 330
Registered: ‎01-08-2010
0

Re: SRX 210 performance problem

I am fairly sure the fast Ethernet ports have a simmilar setting... I will try and check when I am in the office.
Contributor
Posts: 61
Registered: ‎05-11-2010
0

Re: SRX 210 performance problem

Nope, on FE ports, as long as speed and link-mode are explicitly configured, auto-negotiation is turned off.

Trusted Contributor
Posts: 30
Registered: ‎05-20-2010
0

Re: SRX 210 performance problem

[ Edited ]

As for the SSH thing, check your security flows. They may be reaching their timeouts, default is to time out, which is better so that you don't collect unused sessions.

show security flow session destination-port 22


Session ID: 10164, Policy name: self-traffic-policy/1, Timeout: 600
  In: 10.10.10.202/37677 --> 10.10.10.2/22;tcp, If: ge-0/0/0.0
  Out: 10.10.10.2/22 --> 10.10.10.202/37677;tcp, If: .local..0

Session ID: 16869, Policy name: default-permit/6, Timeout: 588
  In: 10.10.10.202/49397 --> 10.10.1.10/22;tcp, If: ge-0/0/0.0
  Out: 10.10.1.10/22 --> 10.10.10.202/49397;tcp, If: vlan.0

 

Notice the timeout value. It will count down, and if you're hitting 0 you'll be disconnected. I get around it by putting in a keep alive in /etc/ssh/ssh_config on the client, something like 'ServerAliveInterval 120' should keep that Timeout value in your session data resetting.  If you want to disable it on the SRX and keep sessions around forever regardless of inactivity, you can specify it with the application setting:

set applications application junos-ssh inactivity-timeout never;

 

 

Trusted Contributor
Posts: 81
Registered: ‎03-01-2010
0

Re: SRX 210 performance problem

Hmm...Are you sure? Did you try to disable auto-negotiation to see if it makes any difference?

Trusted Contributor
Posts: 330
Registered: ‎01-08-2010
0

Re: SRX 210 performance problem

 


jiangu wrote:

Nope, on FE ports, as long as speed and link-mode are explicitly configured, auto-negotiation is turned off.


 

I am sorry but in current 10 releases I am very sure you are wrong..

 

This should be the current VALID way to set the fast Ethernet port to 10m Full Duplex STATIC by disabling auto completely, I haven't extensively tested it since I mostly use the GE ports but the following config validates on my test 210 running 10.1R3

 

 

fe-0/0/7 {
        speed 10m;
        link-mode full-duplex;
        fastether-options {
            no-auto-negotiation;
        }
        unit 0 {
            family ethernet-switching;
        }
    }

 

 

 

Contributor
Posts: 61
Registered: ‎05-11-2010
0

Re: SRX 210 performance problem

Thanks, we decided to use one GE interface for WAN connection, this is the original configuration:

 

 ge-0/0/1 {
        unit 0 {
            family ethernet-switching;
        }
    }

 

When I apply the following configuration:

 

set interfaces ge-0/0/1 speed 10m
set interfaces ge-0/0/1 link-mode full-duplex
set interfaces ge-0/0/1 gigether-options no-auto-negotiation

delete interfaces ge-0/0/1 unit 0 family ethernet-switching
set interface ge-0/0/1 unit 0 family inet address 157.53.27.114/29

 

And then:

root@srx210# commit confirmed 10 

[edit vlans default]
  'interface ge-0/0/1.0'
    Interface ge-0/0/1.0 not enabled for switching
error: configuration check-out failed

 

What's wrong?

Trusted Contributor
Posts: 330
Registered: ‎01-08-2010
0

Re: SRX 210 performance problem

The switching part was from one of my internal configs, it doesn't apply in your case.. look back at my gigabit example... really the only important thing for ether a fe port or ge port is that you set no-auto-negotiation under the options section to ensure auto configure is off for that port.

Contributor
Posts: 61
Registered: ‎05-11-2010
0

Re: SRX 210 performance problem

Thanks, I understand ... the original ge-0/0/1 was default configuration on my SRX210, so I don't get what you said "he switching part was from one of my internal configs, it doesn't apply in your case".

 

I want to covert ge-0/0/1 to a L3 WAN interface, my problem was why my commit check failed, it is a simple configration, I decided to move to GE anyway because I think SRX210's GE implementation may have better capability to operate at full duplex 10M.