SRX Services Gateway
Showing results for 
Search instead for 
Do you mean 
Reply
Contributor
Posts: 17
Registered: ‎03-10-2011
0 Kudos

SRX IPSEC poor performance

Hello!

 

I'm testing a site-to-site VPN with SRX240H on both endpoints. Unfortunately, I can get only 50Mbit/s throughput, which is far lower from what I expected. Using des/md5 instead of aes/sha doesn't change anything, and cpu usage is always low.

I need any tips on performance troubleshooting and tuning, please.

 

P.S. I've got  10.0R3.10 on both devices.

 

--

Regards, Ilya

 

Contributor
Posts: 24
Registered: ‎01-03-2011
0 Kudos

Re: SRX IPSEC poor performance

Try 10.2R3.10

Contributor
Posts: 28
Registered: ‎02-19-2010

Re: SRX IPSEC poor performance

You've set 'security flow tcp-mss ipsec-vpn mss 1350' already, correct?  (Adjust for your path of course, this assumes a 1500 MTU minimum between endpoints.)  Fragmentation will slash throughput on these units.  RSync across IPSec between two 240s without the mss adjust averages a paltry 2MB/sec for example compared to 20MB/sec with.

Contributor
Posts: 127
Registered: ‎11-05-2010
0 Kudos

Re: SRX IPSEC poor performance

Hey,

I added the code:

 

security flow tcp-mss ipsec-vpn mss 1350

 

on both ends of my IPsec tunnel and it vastly improved end to end performance.

 

Paul

Contributor
Posts: 17
Registered: ‎03-10-2011
0 Kudos

Re: SRX IPSEC poor performance

Hello!

 

Of course I already have 'security flow tcp-mss ipsec-vpn mss 1350' in my config! What I can tune else?

Specification on 240 says IPSEC performance should be up to 250Mbit/s, but I've only got 50Mbit/s Smiley Sad

 

Super Contributor
Posts: 353
Registered: ‎04-30-2010
0 Kudos

Re: SRX IPSEC poor performance

50 is a little low. You should get about 110 in IMIX, and about 30 in worst-case 64-byte packets.Do you know the packet size / packet mix you are sending through the tunnel?

 

I'd re-test with 10.2r3. Are these devices in a lab or in production? Verifying "the usual suspects" like duplex and issues with the circuit may be worthwhile.

 

Contributor
Posts: 17
Registered: ‎03-10-2011
0 Kudos

Re: SRX IPSEC poor performance

The devices are in pre-production state, so consider them in lab now. I'm transferring files by http or ftp, so packets are large. No other traffic is going through tunnel during my tests. As for duplex and other issues, everything is ok - I've tested throughput in 'routed' configuration (without VPN), and then transfer speed goes to the max.

Visitor
Posts: 7
Registered: ‎08-25-2010
0 Kudos

Re: SRX IPSEC poor performance

Was this ever resolved?

 

I am seeing the same issue - individual sessions only achieve 800-1200Kb/s (on bulk TCP file transfers), and total performance seems to max out atabout 3Mb across all sessions.

 

I have the tcp-mss set and am using the standard proposal set for the ipsec policy.

 

As noted above, routed performance maxes out at (more or less) line speed. The same is true if I apply a simple NAT rule.

Recognized Expert
Posts: 121
Registered: ‎08-30-2010
0 Kudos

Re: SRX IPSEC poor performance

[ Edited ]

Hi llya,

 

For high files transfers there are retransmission that causes latency

Try the following command on both the side and this will ensure that there are no-packet drops on the srx.

 

#set security flow tcp-session no-sequence-check

 

 Regards,

 Visitor

 

 -------------------------------------------------​-----------------------------

 

If this post was helpful, please mark this post as an "Accepted Solution". Kudos are always appreciated!

Highlighted
Contributor
Posts: 47
Registered: ‎09-27-2009
0 Kudos

Re: SRX IPSEC poor performance

Disabling sequence checking is unadvisable for a firewall.  There was even recent news recommend strict sequence checking to protect against certain types of attacks.  If you must proceed I'd recommend looking at the 11.2 code as you can selectively enable/disable it per policy.

 

Thanks.

Recognized Expert
Posts: 121
Registered: ‎08-30-2010
0 Kudos

Re: SRX IPSEC poor performance

Hi Aidan,

 

I agree to your view that disabling syn-check is unadvisable for firewall but there are instance, when the packets send by the server are out of sequence and these packets are droppped by the firewall.

In those instances it is a trade-off with a security.The selective enabling/disabling of sequence check per policy is supported from 10.4R2 onwards.Ref http://kb.juniper.net/InfoCenter/index?page=content&id=KB21266

 

Regards,

Visitor

Visitor
Posts: 7
Registered: ‎08-25-2010
0 Kudos

Re: SRX IPSEC poor performance

Good Morning,

 

I already had syn-checking disabled - and checked that no traceoptions were set anywhere.

 

Thanks

Visitor
Posts: 7
Registered: ‎08-25-2010
0 Kudos

Re: SRX IPSEC poor performance

Another though, is it possible to see a counter of packets/data dropped due to vpn processing failing (as might happen when the mss is too high).

New User
Posts: 1
Registered: ‎02-24-2014
0 Kudos

Re: SRX IPSEC poor performance

I am guessing that in 2 years - no solution was found or none was posted here?  I am experiencing the same thing - poor performance on a line that does have high latency - 150MS (London to West Coast US).

 

No matter what settings I do, I am also seeing fairly poor performance on a 100Mbit link on our end and 20Mbit link on the UK side.  I am seeing about 2-3Mbit performance - very poor.

 

Bill

Recognized Expert
Posts: 269
Registered: ‎01-18-2010
0 Kudos

Re: SRX IPSEC poor performance

Max throughput of TCP/IP @150ms is only 3.5Mb at standard window size. Unless you're pushing multiple streams or using some sort of WAN optimization you won't get much more than 2-3Mb/s.