05-14-2012 08:45 AM
I walked in this morning and discovered my Internet connection was peaked via SMTP monitoring on my border router. We have a Packeteer device monitoring all traffic behind my SRX240 and nothing was generating this amount of traffic. The only thing that could have was my SRX240 and my Cisco 2800 border router. How can I gain some visibility over the traffic exiting my SRX240 to verify if it was causing the large amount of traffic? The traffic has stopped at this point but was going on for appr. 10 minutes.
05-14-2012 08:50 AM
Probably just set up some logging on your policies. For instance if you think the traffic is coming from trust to untrust then log on this policy etc.
Have a read here:
05-14-2012 08:53 AM
That's just it. It wouldn't be coming from the Trust to Untrust. Everything on the trust zone passes through a packet shaper that gives me total visibility over the traffic. Nothing from the trust side was generating that traffic. It was either coming from the SRX or my border router. I just need to eliminate the SRX from the mystery.
05-15-2012 01:36 AM
Hi there, So you could use an output traffic filter on the Loopback interface with the log option. Output filters applied to the loopback interface, lo0, affect only outbound traffic sent from the Routing Engine.
05-16-2012 09:13 PM
Are you using any UTM email features (anti-spam etc.)?
I ran across a problem a while back (Junos 9.6 rom memory) where the SRX URL black-listing was causing a big spike in traffic because it wasn't closing connections properly between the client, the UTM proxy process, and the destination server, which caused a long stream of FIN/ACK and ACKs between the client and the far-end server.