SRX Services Gateway
Reply
Trusted Contributor
SomeITGuy
Posts: 330
Registered: ‎01-08-2010
0

Re: SRX 210 performance problem

Are you using one of the GE ports for the ISP connection?

 

If you use one of the two gigabit interfaces you must go under the Gigabit options to correctly disable auto negotiate or you get strange results no mater what your speed and link-mode are.

 

Your interface should look something like this for a proper 10 FULL duplex link using a GE interface.. My ISP connections are the same, they are always 10 Full fixed since they use Cisco gear and Cisco almost never auto negotiates with anything but other Cisco gear reliably.

 

 

ge-0/0/1 {
        speed 10m;
        link-mode full-duplex;
        gigether-options {
            no-auto-negotiation;
        }
        unit 0 {
            family inet {
                address 10.0.0.1/30;
            }
        }
    }

 

 

Contributor
jiangu
Posts: 60
Registered: ‎05-11-2010
0

Re: SRX 210 performance problem

Thanks, unfortunately, we are using FE, we were instructed by ISP to use 10M, Full-duplex on our side, not sure why SRX still operates in half-duplex mode.

Trusted Contributor
SomeITGuy
Posts: 330
Registered: ‎01-08-2010
0

Re: SRX 210 performance problem

I am fairly sure the fast Ethernet ports have a simmilar setting... I will try and check when I am in the office.
Contributor
jiangu
Posts: 60
Registered: ‎05-11-2010
0

Re: SRX 210 performance problem

Nope, on FE ports, as long as speed and link-mode are explicitly configured, auto-negotiation is turned off.

Trusted Contributor
sor
Posts: 30
Registered: ‎05-20-2010
0

Re: SRX 210 performance problem

[ Edited ]

As for the SSH thing, check your security flows. They may be reaching their timeouts, default is to time out, which is better so that you don't collect unused sessions.

show security flow session destination-port 22


Session ID: 10164, Policy name: self-traffic-policy/1, Timeout: 600
  In: 10.10.10.202/37677 --> 10.10.10.2/22;tcp, If: ge-0/0/0.0
  Out: 10.10.10.2/22 --> 10.10.10.202/37677;tcp, If: .local..0

Session ID: 16869, Policy name: default-permit/6, Timeout: 588
  In: 10.10.10.202/49397 --> 10.10.1.10/22;tcp, If: ge-0/0/0.0
  Out: 10.10.1.10/22 --> 10.10.10.202/49397;tcp, If: vlan.0

 

Notice the timeout value. It will count down, and if you're hitting 0 you'll be disconnected. I get around it by putting in a keep alive in /etc/ssh/ssh_config on the client, something like 'ServerAliveInterval 120' should keep that Timeout value in your session data resetting.  If you want to disable it on the SRX and keep sessions around forever regardless of inactivity, you can specify it with the application setting:

set applications application junos-ssh inactivity-timeout never;

 

 

Trusted Contributor
TRUKonsult
Posts: 81
Registered: ‎03-01-2010
0

Re: SRX 210 performance problem

Hmm...Are you sure? Did you try to disable auto-negotiation to see if it makes any difference?

Trusted Contributor
SomeITGuy
Posts: 330
Registered: ‎01-08-2010
0

Re: SRX 210 performance problem

 


jiangu wrote:

Nope, on FE ports, as long as speed and link-mode are explicitly configured, auto-negotiation is turned off.


 

I am sorry but in current 10 releases I am very sure you are wrong..

 

This should be the current VALID way to set the fast Ethernet port to 10m Full Duplex STATIC by disabling auto completely, I haven't extensively tested it since I mostly use the GE ports but the following config validates on my test 210 running 10.1R3

 

 

fe-0/0/7 {
        speed 10m;
        link-mode full-duplex;
        fastether-options {
            no-auto-negotiation;
        }
        unit 0 {
            family ethernet-switching;
        }
    }

 

 

 

Contributor
jiangu
Posts: 60
Registered: ‎05-11-2010
0

Re: SRX 210 performance problem

Thanks, we decided to use one GE interface for WAN connection, this is the original configuration:

 

 ge-0/0/1 {
        unit 0 {
            family ethernet-switching;
        }
    }

 

When I apply the following configuration:

 

set interfaces ge-0/0/1 speed 10m
set interfaces ge-0/0/1 link-mode full-duplex
set interfaces ge-0/0/1 gigether-options no-auto-negotiation

delete interfaces ge-0/0/1 unit 0 family ethernet-switching
set interface ge-0/0/1 unit 0 family inet address 157.53.27.114/29

 

And then:

root@srx210# commit confirmed 10 

[edit vlans default]
  'interface ge-0/0/1.0'
    Interface ge-0/0/1.0 not enabled for switching
error: configuration check-out failed

 

What's wrong?

Trusted Contributor
SomeITGuy
Posts: 330
Registered: ‎01-08-2010
0

Re: SRX 210 performance problem

The switching part was from one of my internal configs, it doesn't apply in your case.. look back at my gigabit example... really the only important thing for ether a fe port or ge port is that you set no-auto-negotiation under the options section to ensure auto configure is off for that port.

Contributor
jiangu
Posts: 60
Registered: ‎05-11-2010
0

Re: SRX 210 performance problem

Thanks, I understand ... the original ge-0/0/1 was default configuration on my SRX210, so I don't get what you said "he switching part was from one of my internal configs, it doesn't apply in your case".

 

I want to covert ge-0/0/1 to a L3 WAN interface, my problem was why my commit check failed, it is a simple configration, I decided to move to GE anyway because I think SRX210's GE implementation may have better capability to operate at full duplex 10M.

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.