SRX

Hi! I'm setting up SRX 210.

Model: srx210he
JUNOS Software Release [12.1R1.9]
I have a problem - using default values i get too slow downloads using http/ftp on the users PC behind SRX210.

It looks like download speed is limited per connection by default.

For example downloads iso image from  ftp://ftp.freebsd.org  shows download speed about 30-50 kilobytes per second.

My old PC-based linux router gives speed on this site over 1,5 Megabytes/sec using same ISP.

This is part of my config (all simple, there is nothing non-standard😞

NAT

source {
        rule-set default-nat-rule {
        from zone trusted;
        to zone untrusted;
        rule default-nat {
            match {
                source-address 192.168.0.0/16;
            }
            then {
                source-nat {
                    interface;
                }
            }
        }
    }
}

POLICIES

from-zone trusted to-zone untrusted {
        policy nat_list {
            match {
                source-address nat_list_set;
                destination-address any;
                application any;
            }
            then {                      
                permit {
                    tcp-options {
                        syn-check-required;
                        sequence-check-required;
                    }
                }
            }
        }
    }

 

I tried to reduce the mtu/mss values, disabled UTM, set dns maximum-message-length 8192... It all has no effect.

Please help!

At the very least, I would upgrade to the latest 12.1 release, which is 12.1R2.9.

I upgraded last week to 12.1R2.9. But the problem was not solved. This version of firmware does not contain http-server for management SRX (I'm beginner in JunOS and console management only is not enough for me) and I rolled back to 12.1R1.9.

Hi

 

I have a 210H and a 100H and both are running 12.1R2.9 and have JWEB  running fine.

Regardsing the slow speed.  Check your duplex/speed on your WAN port, assuming you are running use an ethernet based device.

If you are using at ADSL/VDLS PIM, then ignore this.

I did have very flow performace, and it was down to MTU/MSS and the screen IDS being too restrictive.

 

Security:

 

    flow {
        allow-dns-reply;
        syn-flood-protection-mode syn-cookie;
        tcp-mss {
            all-tcp {
                mss 1452;
            }
            ipsec-vpn {
                mss 1400;
            }
        }
        tcp-session {
            rst-invalidate-session;
            rst-sequence-check;
            strict-syn-check;
        }
    }


    screen {
        ids-option untrust-screen {
            icmp {
                large;
                ping-death;
            }
            ip {
                bad-option;
                security-option;
                inactive: spoofing; 
##### If you get your WAN IP via PPP or DHCP then you need to disable spoofing.
                source-route-option;
                strict-source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    timeout 10;
                }
                land;
                winnuke;
            }
        }
    }

 

 

 

Thank you, johnrbaker for examle of security configuration!

But it does not reolves my problem.

 

I find out the problem persists downloading files via ftp, but on http everything works fine - download speed equals WAN speed.

 

If somebody downloads file via ftp logs on SRX210 looks like this:

Session ID: 57798, Policy name: nat_list/6, Timeout: 1738, Valid
Resource information : FTP ALG, 2, 0
  In: 192.168.0.7/45411 --> 204.152.184.73/21;tcp, If: ge-0/0/0.0, Pkts: 20, Bytes: 1084
  Out: 204.152.184.73/21 --> 62.117.117.20/4326;tcp, If: fe-0/0/2.0, Pkts: 34, Bytes: 2213

 

I already turn off alg in security ( set alg ftp disable),

now logs looks like this:

Session ID: 58935, Policy name: nat_list/6, Timeout: 1754, Valid
  In: 192.168.0.7/42625 --> 204.152.184.73/21;tcp, If: ge-0/0/0.0, Pkts: 24, Bytes: 1532
  Out: 204.152.184.73/21 --> 62.117.117.20/26887;tcp, If: fe-0/0/2.0, Pkts: 35, Bytes: 2679

 

But it still does not reslove the problem... Downloads via ftp is still too slow.

 

I still need help.

 

Hi

 

Are you running the FTP ALG?  If so, try disabeling it.

 

What FTP client are you running?

I currently disabled FTP ALG but it did not help me.

Download speed via ftp still slow.

Now i use built-in ftp-client in browsers Firefox and IE.

 

show security alg status                                
ALG Status :
  DNS      : Enabled
  FTP      : Disabled
  H323     : Enabled
  MGCP     : Enabled
  MSRPC    : Enabled
  PPTP     : Enabled
  RSH      : Enabled
  RTSP     : Enabled
  SCCP     : Enabled
  SIP      : Enabled
  SQL      : Enabled
  SUNRPC   : Enabled
  TALK     : Enabled
  TFTP     : Enabled
  IKE-ESP  : Disabled

FYI

 

Apart from the IKE AGL, unless you need to, disable all ALG.  It can cause a lot of issues.  Streaming video etc.

 

What is you MSS/MTU Value?  What is your WAN connection type?

I turned off all ALG and now I have

 >show security alg status    
ALG Status :
  DNS      : Disabled
  FTP      : Disabled
  H323     : Disabled
  MGCP     : Disabled
  MSRPC    : Disabled
  PPTP     : Disabled
  RSH      : Disabled
  RTSP     : Disabled
  SCCP     : Disabled
  SIP      : Disabled
  SQL      : Disabled
  SUNRPC   : Disabled
  TALK     : Disabled
  TFTP     : Disabled
  IKE-ESP  : Disabled

But speed ftp downloads still remain at 25-35 kb/sec

 

I use mtu 1472 and mss 1300. Also set 'path-mtu-discovery'.

WAN connection type - ethernet.

May i ask why you are using syn-check-required; and sequence-check-required;?

 

Kind regards,

Sebastian

Sebastian, these options i use only on wan interfaces following these recommendations http://jsrx.juniperwiki.com/index.php?title=Syn_Check

For internal nets i use

no syn-check-required; and no sequence-check-required;

---

@moslift wrote:

Sebastian, these options i use only on wan interfaces following these recommendations http://jsrx.juniperwiki.com/index.php?title=Syn_Check

For internal nets i use

no syn-check-required; and no sequence-check-required;

---

Are you expecting asynchronous traffic?

---

@gosi wrote:

---

@moslift wrote:

Sebastian, these options i use only on wan interfaces following these recommendations http://jsrx.juniperwiki.com/index.php?title=Syn_Check

For internal nets i use

no syn-check-required; and no sequence-check-required;

---

Are you expecting asynchronous traffic?

---

Probably no, are you advise to globally turn off syn-check and sequence-check?

---

@moslift wrote:

Probably no, are you advise to globally turn off syn-check and sequence-check?

---

No, you should be fine. Could you please run flow traceoption to capture the traffic from your slow ftp transfer?

 

Kind regards,

Sebastian

> show security flow session source-prefix 192.168.0.7 destination-port 21
Session ID: 4496, Policy name: nat_list/6, Timeout: 1764, Valid
  In: 192.168.0.7/50189 --> 204.152.184.73/21;tcp, If: ge-0/0/0.0, Pkts: 25, Bytes: 1616
  Out: 204.152.184.73/21 --> 62.117.117.20/2065;tcp, If: fe-0/0/2.0, Pkts: 35, Bytes: 2678
Total sessions: 1

Policies are:

 

from-zone trusted to-zone untrusted {
            policy nat_list {
                match {
                    source-address nat_list_set;
                    destination-address any;
                    application any;
                }
                then {
                    permit {
                        tcp-options {
                            syn-check-required;
                            sequence-check-required;
                        }
                    }
                }
            }
        }
        default-policy {
            deny-all;
        }

 

And I add IP-addresses to nat_list, who need internet access (for example proxy-server).

Hi

 

I am still getting flow FTP from the main freebsd site

 

Try one of its mirrors

 

ftp://ftp.uk.freebsd.org/pub/FreeBSD/releases/amd64/amd64/ISO-IMAGES/9.0/

 

My speed went from 300 to 1500KB/s

 

 

 

 

Hmm... Using this mirror I get the 600 kb/sec.
Looks like by default chosen wrong mirror...
But the question has arisen because my old FreeBDS-based router using the same channel and the same ISP shows 1,5 megabytes per second. I thought that the problem is likely to appear on other sites too...
It turns out that the SRX is working properly.
Thanks a lot for your help!

Hi

Your MTU value could still be an issue. Try 1452 to even lower.

What are the setting for your Ethernet WAN port? 100/Full Auto?


However I have just tried to ftp from the same site and I am only getting 300-400KBps

100Mb, link-mode-auto.

 

I set mtu to 1452, then 1432, then to 1400. Problem still persists.

 

The command > show interfaces fe-0/0/2

shows me

Link-level type: Ethernet, MTU: 1514, Link-mode: Full-duplex, Speed: 100mbps

 

But in configuration i set 1452!

What to believe?

The Ethernet link MTU is seperate to the IP MSS value.  Dont worry about it.

 

Does any other type of traffic have any speed/preformance issues?

 

What is te modem/router that the SRX is connected to?

 

Are you running any UTM on the SRX?

 

I would still suggest upgrading to 12.1R2.9

Other type of traffic does not have perfomance issue.

utm is off.

Also

 

Run

 

show interfaces fe-0/0/2 statistics detail

 

 

Look for the Input/Output errors

Looks like there is no issue in interface information.

> show interfaces fe-0/0/2 statistics detail
Physical interface: fe-0/0/2, Enabled, Physical link is Up
  Interface index: 136, SNMP ifIndex: 517, Generation: 139
  Description: ISP1
  Link-level type: Ethernet, MTU: 1514, Link-mode: Full-duplex, Speed: 100mbps, BPDU Error: None,
  MAC-REWRITE Error: None, Loopback: Disabled, Source filtering: Disabled, Flow control: Enabled
  Device flags   : Present Running
  Interface flags: SNMP-Traps Internal: 0x0
  CoS queues     : 8 supported, 8 maximum usable queues
  Hold-times     : Up 0 ms, Down 0 ms
  Current address: 64:87:88:13:94:42, Hardware address: 64:87:88:13:94:42
  Last flapped   : 2012-07-02 04:07:23 UTC (1w3d 05:15 ago)
  Statistics last cleared: Never
  Traffic statistics:
   Input  bytes  :           5146752440                  664 bps
   Output bytes  :            483722908                    0 bps
   Input  packets:              4951917                    0 pps
   Output packets:              4408587                    0 pps
  Input errors:
    Errors: 0, Drops: 0, Framing errors: 0, Runts: 0, Policed discards: 0, L3 incompletes: 0,
    L2 channel errors: 0, L2 mismatch timeouts: 0, FIFO errors: 0, Resource errors: 0
  Output errors:
    Carrier transitions: 1, Errors: 0, Drops: 0, Collisions: 0, Aged packets: 0, FIFO errors: 0,
    HS link CRC errors: 0, MTU errors: 0, Resource errors: 0
  Egress queues: 8 supported, 4 in use
  Queue counters:       Queued packets  Transmitted packets      Dropped packets
    0 best-effort              4408900              4408900                    0
    1 expedited-fo                   0                    0                    0
    2 assured-forw                   0                    0                    0
    3 network-cont                   0                    0                    0
  Queue number:         Mapped forwarding classes
    0                   best-effort
    1                   expedited-forwarding
    2                   assured-forwarding
    3                   network-control
  Active alarms  : None
  Active defects : None
  Interface transmit statistics: Disabled

  Logical interface fe-0/0/2.0 (Index 70) (SNMP ifIndex 518) (Generation 139)
    Flags: SNMP-Traps 0x0 Encapsulation: ENET2
    Traffic statistics:
     Input  bytes  :           5132358233
     Output bytes  :            460864839
     Input  packets:              4931648
     Output packets:              4394463
    Local statistics:
     Input  bytes  :            131225392
     Output bytes  :            115187736
     Input  packets:              1005778
     Output packets:               539380
    Transit statistics:
     Input  bytes  :           5001132841                    0 bps
     Output bytes  :            345677103                    0 bps
     Input  packets:              3925870                    0 pps
     Output packets:              3855083                    0 pps
    Security: Zone: untrusted
    Allowed host-inbound traffic : bgp ping ssh
    Flow Statistics :  
    Flow Input statistics :
      Self packets :                     525676
      ICMP packets :                     949
      VPN packets :                      0
      Multicast packets :                0
      Bytes permitted by policy :        5050867939
      Connections established :          41346
    Flow Output statistics:
      Multicast packets :                0
      Bytes permitted by policy :        454835135
    Flow error statistics (Packets dropped due to):
      Address spoofing:                  1385
      Authentication failed:             0
      Incoming NAT errors:               0
      Invalid zone received packet:      0
      Multiple user authentications:     0
      Multiple incoming NAT:             0
      No parent for a gate:              0
      No one interested in self packets: 39       
      No minor session:                  0
      No more sessions:                  0
      No NAT gate:                       0
      No route present:                  0
      No SA for incoming SPI:            0
      No tunnel found:                   0
      No session for a gate:             0
      No zone or NULL zone binding       0
      Policy denied:                     0
      Security association not active:   0
      TCP sequence number out of window: 307
      Syn-attack protection:             0
      User authentication errors:        0
    Protocol inet, MTU: 1472, Generation: 153, Route table: 0
      Flags: Sendbcast-pkt-to-re, User-MTU
      Addresses, Flags: Is-Preferred Is-Primary