SRX

last person joined: 19 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  Small packet limit

    Posted 04-22-2015 13:08

    We are facing with an issue of after 500K pps SRX3600 start to give answers so late or dropping all packets

    we need to find a few things

     

    1. How should we see the pps capacity of current configuration

    2. how should we detect if we reached the pps limits 

    3. What is the limit of pps of 40 byte packets with 1 spc and 1 npc

     

    King regards



  • 2.  RE: Small packet limit

    Posted 04-22-2015 13:33

    Hi 

     

    1. Because it is a stateful device, PPS is not actually a good measure of performance.

    Do all packets belong to the same session or every packet come from new ip -

    it matters significantly. In the latter case, SRX3000 can do about 150kpps (= new sessions

    per second), see datasheet

    http://www.juniper.net/us/en/local/pdf/datasheets/1000267-en.pdf

    2. I think you were using right commands for SPU performance in your other posts here.

    3. For other performance numbers not on datasheet you should contact your Juniper SE.

     



  • 3.  RE: Small packet limit

    Posted 04-22-2015 13:46

    Thank you for your fast response. 

    Actually we have tested 50+ attacks. Juniper gave wonderfull performance especially for TCP attacks. 

    But for unknown protocols , ACK , small UDP floods, and SPOOF UDP packets locking the internet connection

     

    We have checked nearly any case on the device 

     

    syslogs

    spc cpu

    npc cpu

    routing engine cpu

    session counts (not a criteria because ack attacks and udp floods form same source does not create session)...etc.

     

    and we tested multiple conditions

    blocking with :

    policy

    filter

    ips

    custom signature

    packet size

    ttl

    ....etc

     

    nothing change , if this type of attacks goes over the screen SRX losting internet connection . 

     

    And as far as we know Multiple NPCs cannot bind to one IOC, each NPC will bind to a separate IOC. 

     

    we decide that this is a pps issue. 

     

    so we plan to buy 2 more npc with 2 more 10G ioc cards send a load balanced or LAG traffic or we will buy 3 more SPC to get expected performance 

     

     

    because we need to use firewall policy's in more then 1.5M + small pps . 

     

    But we can not be sure what if really the problem it is or not

     

     



  • 4.  RE: Small packet limit
    Best Answer

    Posted 04-22-2015 14:19

    Hi

     

    You should show this to JTAC, they must be able to find the bottleneck.

    Don't forget to clearly state to them if you are sending traffic to SRX or to network

    behind SRX or both.



  • 5.  RE: Small packet limit

    Posted 04-22-2015 14:26

    You are right but we are waiting for 14 days to device assignment to our company. I really disappointed from juniper support. Our all network was designed with junipers but now we start to change all of them to cisco first we quote routers and changing MX80s. 

     

    If you are able to check for the situation my mail address is cahit.eyigunlu [at] spd.net.tr please send me an email i shouold send you an access to the test platform 

     

    thank you for your interest.



  • 6.  RE: Small packet limit

    Posted 04-22-2015 14:53

    Hi

     

    Looks like your problem is a bit more global then initial question.

    I sent you an email, but genearlly I am not really The Right Person to talk to.