I'm testing a site-to-site VPN with SRX240H on both endpoints. Unfortunately, I can get only 50Mbit/s throughput, which is far lower from what I expected. Using des/md5 instead of aes/sha doesn't change anything, and cpu usage is always low.
I need any tips on performance troubleshooting and tuning, please.
You've set 'security flow tcp-mss ipsec-vpn mss 1350' already, correct? (Adjust for your path of course, this assumes a 1500 MTU minimum between endpoints.) Fragmentation will slash throughput on these units. RSync across IPSec between two 240s without the mss adjust averages a paltry 2MB/sec for example compared to 20MB/sec with.
50 is a little low. You should get about 110 in IMIX, and about 30 in worst-case 64-byte packets.Do you know the packet size / packet mix you are sending through the tunnel?
I'd re-test with 10.2r3. Are these devices in a lab or in production? Verifying "the usual suspects" like duplex and issues with the circuit may be worthwhile.
The devices are in pre-production state, so consider them in lab now. I'm transferring files by http or ftp, so packets are large. No other traffic is going through tunnel during my tests. As for duplex and other issues, everything is ok - I've tested throughput in 'routed' configuration (without VPN), and then transfer speed goes to the max.
I am seeing the same issue - individual sessions only achieve 800-1200Kb/s (on bulk TCP file transfers), and total performance seems to max out atabout 3Mb across all sessions.
I have the tcp-mss set and am using the standard proposal set for the ipsec policy.
As noted above, routed performance maxes out at (more or less) line speed. The same is true if I apply a simple NAT rule.
Disabling sequence checking is unadvisable for a firewall. There was even recent news recommend strict sequence checking to protect against certain types of attacks. If you must proceed I'd recommend looking at the 11.2 code as you can selectively enable/disable it per policy.
