SRX Services Gateway
Reply
Contributor
daemon699
Posts: 17
Registered: ‎03-10-2011
0

SRX IPSEC poor performance

Hello!

 

I'm testing a site-to-site VPN with SRX240H on both endpoints. Unfortunately, I can get only 50Mbit/s throughput, which is far lower from what I expected. Using des/md5 instead of aes/sha doesn't change anything, and cpu usage is always low.

I need any tips on performance troubleshooting and tuning, please.

 

P.S. I've got  10.0R3.10 on both devices.

 

--

Regards, Ilya

 

Contributor
vizmur
Posts: 23
Registered: ‎01-03-2011
0

Re: SRX IPSEC poor performance

Try 10.2R3.10

Contributor
Kurlon
Posts: 28
Registered: ‎02-19-2010

Re: SRX IPSEC poor performance

You've set 'security flow tcp-mss ipsec-vpn mss 1350' already, correct?  (Adjust for your path of course, this assumes a 1500 MTU minimum between endpoints.)  Fragmentation will slash throughput on these units.  RSync across IPSec between two 240s without the mss adjust averages a paltry 2MB/sec for example compared to 20MB/sec with.

Contributor
paulkil
Posts: 127
Registered: ‎11-05-2010
0

Re: SRX IPSEC poor performance

Hey,

I added the code:

 

security flow tcp-mss ipsec-vpn mss 1350

 

on both ends of my IPsec tunnel and it vastly improved end to end performance.

 

Paul

Contributor
daemon699
Posts: 17
Registered: ‎03-10-2011
0

Re: SRX IPSEC poor performance

Hello!

 

Of course I already have 'security flow tcp-mss ipsec-vpn mss 1350' in my config! What I can tune else?

Specification on 240 says IPSEC performance should be up to 250Mbit/s, but I've only got 50Mbit/s :smileysad:

 

Super Contributor
tbehrens
Posts: 348
Registered: ‎04-30-2010
0

Re: SRX IPSEC poor performance

50 is a little low. You should get about 110 in IMIX, and about 30 in worst-case 64-byte packets.Do you know the packet size / packet mix you are sending through the tunnel?

 

I'd re-test with 10.2r3. Are these devices in a lab or in production? Verifying "the usual suspects" like duplex and issues with the circuit may be worthwhile.

 

Contributor
daemon699
Posts: 17
Registered: ‎03-10-2011
0

Re: SRX IPSEC poor performance

The devices are in pre-production state, so consider them in lab now. I'm transferring files by http or ftp, so packets are large. No other traffic is going through tunnel during my tests. As for duplex and other issues, everything is ok - I've tested throughput in 'routed' configuration (without VPN), and then transfer speed goes to the max.

Visitor
jwoolard
Posts: 7
Registered: ‎08-25-2010
0

Re: SRX IPSEC poor performance

Was this ever resolved?

 

I am seeing the same issue - individual sessions only achieve 800-1200Kb/s (on bulk TCP file transfers), and total performance seems to max out atabout 3Mb across all sessions.

 

I have the tcp-mss set and am using the standard proposal set for the ipsec policy.

 

As noted above, routed performance maxes out at (more or less) line speed. The same is true if I apply a simple NAT rule.

Recognized Expert
Visitor
Posts: 121
Registered: ‎08-30-2010
0

Re: SRX IPSEC poor performance

[ Edited ]

Hi llya,

 

For high files transfers there are retransmission that causes latency

Try the following command on both the side and this will ensure that there are no-packet drops on the srx.

 

#set security flow tcp-session no-sequence-check

 

 Regards,

 Visitor

 

 -------------------------------------------------​-----------------------------

 

If this post was helpful, please mark this post as an "Accepted Solution". Kudos are always appreciated!

Contributor
AidanOS
Posts: 47
Registered: ‎09-27-2009
0

Re: SRX IPSEC poor performance

Disabling sequence checking is unadvisable for a firewall.  There was even recent news recommend strict sequence checking to protect against certain types of attacks.  If you must proceed I'd recommend looking at the 11.2 code as you can selectively enable/disable it per policy.

 

Thanks.

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.