---

gosi wrote:

---

moslift wrote:

Sebastian, these options i use only on wan interfaces following these recommendations http://jsrx.juniperwiki.com/index.php?title=Syn_Check

For internal nets i use

no syn-check-required; and no sequence-check-required;

---

Are you expecting asynchronous traffic?

---

Probably no, are you advise to globally turn off syn-check and sequence-check?

I turned off all ALG and now I have

 >show security alg status    
ALG Status :
  DNS      : Disabled
  FTP      : Disabled
  H323     : Disabled
  MGCP     : Disabled
  MSRPC    : Disabled
  PPTP     : Disabled
  RSH      : Disabled
  RTSP     : Disabled
  SCCP     : Disabled
  SIP      : Disabled
  SQL      : Disabled
  SUNRPC   : Disabled
  TALK     : Disabled
  TFTP     : Disabled
  IKE-ESP  : Disabled

But speed ftp downloads still remain at 25-35 kb/sec

 

I use mtu 1472 and mss 1300. Also set 'path-mtu-discovery'.

WAN connection type - ethernet.

Hi

Your MTU value could still be an issue. Try 1452 to even lower.

What are the setting for your Ethernet WAN port? 100/Full Auto?


However I have just tried to ftp from the same site and I am only getting 300-400KBps

> show security flow session source-prefix 192.168.0.7 destination-port 21
Session ID: 4496, Policy name: nat_list/6, Timeout: 1764, Valid
  In: 192.168.0.7/50189 --> 204.152.184.73/21;tcp, If: ge-0/0/0.0, Pkts: 25, Bytes: 1616
  Out: 204.152.184.73/21 --> 62.117.117.20/2065;tcp, If: fe-0/0/2.0, Pkts: 35, Bytes: 2678
Total sessions: 1

Policies are:

 

from-zone trusted to-zone untrusted {
            policy nat_list {
                match {
                    source-address nat_list_set;
                    destination-address any;
                    application any;
                }
                then {
                    permit {
                        tcp-options {
                            syn-check-required;
                            sequence-check-required;
                        }
                    }
                }
            }
        }
        default-policy {
            deny-all;
        }

 

And I add IP-addresses to nat_list, who need internet access (for example proxy-server).

100Mb, link-mode-auto.

 

I set mtu to 1452, then 1432, then to 1400. Problem still persists.

 

The command > show interfaces fe-0/0/2

shows me

Link-level type: Ethernet, MTU: 1514, Link-mode: Full-duplex, Speed: 100mbps

 

But in configuration i set 1452!

What to believe?

The Ethernet link MTU is seperate to the IP MSS value.  Dont worry about it.

 

Does any other type of traffic have any speed/preformance issues?

 

What is te modem/router that the SRX is connected to?

 

Are you running any UTM on the SRX?

 

I would still suggest upgrading to 12.1R2.9

Also

 

Run

 

show interfaces fe-0/0/2 statistics detail

 

 

Look for the Input/Output errors