SRX Services Gateway
Reply
Trusted Contributor
kronicklez
Posts: 466
Registered: ‎08-10-2010
0

Suddenly traffic increase and make bandwidth almost full..

Hi All,

 

 

I have a one problem as per title above. My internal conenction to HQ is30MB. Usually my bandwidth is not over 10MB.. But starting last week suddenly my bandwidth up tp 25MB and it make services like voce (PABX) interruption. Before this i set my police zone to zone application any. Then i change my policy as per below but still cannot reduce the bandwidth. My connection physical as per below:

 

The weird thing when i do command show interface ge-0/0/0 at the layer 2 switch the result is always changing. as per exmample below:

 

{master:0}
root@D3-ES01> show interfaces ge-0/0/0 | match rate
  Input rate     : 15605168 bps (2435 pps)
  Output rate    : 19214016 bps (2619 pps)

 

 

{master:0}
root@D3-WXC-ES01> show interfaces ge-0/0/0 | match rate
  Input rate     : 15605168 bps (2435 pps)
  Output rate    : 19214016 bps (2619 pps)


 

LAN --->Core Switch --->SRX3600 --->Layer 2 Switch (ge-0/0/0)---->Metro-E (ISP) ---->HQ

 

 

 

 

root@D3-FW01# run show configuration security policies from-zone CoreSwitch
policy 2 {
    match {
        source-address any;
        destination-address any;
        application [ junos-icmp-all Port-Torrent-TCP Port-Torrent-UDP ];
    }
    then {
        deny;
        log {
            session-init;
            session-close;
        }
    }
}
policy 1 {
    match {
        source-address any;
        destination-address any;
        application [ SAP-Port junos-https junos-http junos-sql-monitor junos-sqlnet-v1 junos-sqlnet-v2 junos-ssh junos-telnet junos-http-ext junos-dns-tcp junos-dns-udp junos-mail junos-smtp Port-Proxy WWW junos-pop3 ];
    }
    then {
        permit;
        log {
            session-init;
            session-close;
        }
    }
}

 

Hopefully someone can help me because i'm already don't know what need to do.

Trusted Expert
Trusted Expert
jtb
Posts: 309
Registered: ‎08-26-2009
0

Re: Suddenly traffic increase and make bandwidth almost full..

hi kronicklez,

 

it would be interesting to check what eats the bandwidth. I would look at all the flows and find the guilty.

'show security flow session' has the pkts/bytes counters for each flow/direction.

 

With many flow it can a bit difficult, analyze it with home-made script or use SRX Session Analyzer http://forums.juniper.net/t5/SRX-Services-Gateway/SRX-Session-Analyzer/td-p/113798 

(I don't have experience with it).

 

I assume you could still have some session created at the time of any-2-any policy. If true, look at

'set security policies policy-rematch' option.  

See http://forums.juniper.net/t5/SRX-Services-Gateway/Change-the-security-policy-then-take-effect-immedi...

 

please update with the outcome,

jtb

Trusted Contributor
kronicklez
Posts: 466
Registered: ‎08-10-2010
0

Re: Suddenly traffic increase and make bandwidth almost full..

HI jtb,

 

Many thanks for the feedback. One more think regarding command "set security policies policy-rematch" is it this only command. What i mean just simple command or need add some command also. I will test it on Monday.

 

Regarding SRX analyzer it's new to me. I never tested and used it. I will try that command on Monday. Hope any other advise or  soultion coz my head already freez. One day to troublshoot but still not get any solution.

Trusted Expert
Trusted Expert
jtb
Posts: 309
Registered: ‎08-26-2009
0

Re: Suddenly traffic increase and make bandwidth almost full..

hi,

 

"set security policies policy-rematch" - it's just single command. Another policy-rematch discussion at http://forums.juniper.net/t5/SRX-Services-Gateway/Traffic-still-flowing-from-untrust-to-trust-after-...

 

I've re-read your original mail and I'm not longer sure if current policy is the same as the one before any-2-any policy. I assumed you could have some long-lived flows, created at the any-2-any policy time. If we talk about days it's unlikely.

You may just have some regular (permitted by policy)  high bandwidth flows you haven't had before.


Anyway, it's good to collect 'show security flow session'  output  (a few samples, every XX minutes) so you will have  chance to find the high bandwidth flows.

 

Additionally, you have your syslog data with session-init/close info ? If collected, it's huge source of data (to analyse).

jtb

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.