Screen OS

Hi, we are upgrading SSG320M to ISG2000, when I transfered the configuration from SSG320M to ISG2000, I noticed that ISG2000 is using significantly more memory than SSG320M with the same configuration even when it is sitting idle (almost 600M on isg2000 sitting idle vs 100M on SSG320M in production). Only difference is AV is enabled on ISG2000. Anything obviously wrong? isg2000 has 500K session vs ssg320 has 64K session, would that make much difference in terms of memory usage? your input is greatly appreciated.

======ISG2000 running latest 6.3.0r14.0=====

isg2000(M)-> get memory
Memory: allocated 582552976, left 190243392, frag 42, fail 0

isg2000(M)-> get memory pool
Global memory pools:

NAME                         SYS_MEM   ALLOCMEM NALLOC  NFREE OVERSZ     QUOTA
==============================================================================
Routing                        16436        648     54   1037      0        -1
SSHv2 String Pool                  0          0      0      0      0        -1
ICAP CLIENT OBJ                    0          0      0      0      0        -1
APP OBJ                            0          0      0      0      0        -1
apppry reserved pak                0          0      0      0      0        -1
idp                         23877900   22080664 376416   1989      0  90157056
JPS Notify                         0          0      0      0      0        -1
JPS Context                    16420         56      2    517      0        -1
defrag pool                        0          0      0      0      0   4500000
net                            24572          0      0    714      0        -1
Auth Id Table                      0          0      0      0      0        -1
CAVIUM                       9433088    9184000  30733    330     10        -1
NET-PAK                            0          0      0      0      0 134217728
PKI-IKE                       653928     509248   5282   1252    668        -1
sys                           515952     347984   4220   1337      0        -1

isg2000(M)-> get license-key
advanced_key        : <snip>

Model:              Advanced
Sessions:           500064 sessions
Capacity:           unlimited number of users
NSRP:               ActiveActive
VPN tunnels:        10000 tunnels
Vsys:               None
Vrouters:           3 virtual routers
Zones:              34 zones
VLANs:              2000 vlans
Drp:                Enable
Deep Inspection:    Enable
Deep Inspection Database Expire Date: Disable
Signature pack:     Signature update key is missing
IDP:                Disable
AV:                 Enable(1)
Anti-Spam:          Disable(0)
Url Filtering:      Disable

vs. production SSG320M running 6.3.0r9.0

ssg320(M)-> get memory
Memory: allocated 95868144, left 602314448, frag 25, fail 0

ssg320 (M)-> get memory pool
Global memory pools:

NAME                         SYS_MEM   ALLOCMEM NALLOC  NFREE OVERSZ     QUOTA
==============================================================================
Routing                        16436       3696    293    798      0        -1
SSHv2 String Pool                  0          0      0      0      0        -1
idp                          3029584    2640376  49415   2152      0  26943488
JPS Notify                         0          0      0      0      0        -1
JPS Context                     8212         48      2    290      0        -1
defrag pool                   390104          0      0    680      0    975000
net                            24572          0      0    714      0        -1
Auth Id Table                      0          0      0      0      0        -1
CAVIUM                       9433088    9184000  30733    330     10        -1
NET-PAK                       455292       2720      8    704      0 536870912
PKI-IKE                       816236     656832   6237   1565 445882        -1
sys                           719600     501716   6451   1399      0        -1
ssg320(M)-> get license-key
Model:              Advanced
Sessions:           64064 sessions
Capacity:           unlimited number of users
NSRP:               ActiveActive
VPN tunnels:        500 tunnels
Vsys:               None
Vrouters:           8 virtual routers
Zones:              40 zones
VLANs:              125 vlans
Drp:                Enable
Deep Inspection:    Enable
Deep Inspection Database Expire Date: Disable
Signature pack:     Signature update key is missing
IDP:                Disable
AV:                 Disable(0)
Anti-Spam:          Disable(0)
Url Filtering:      Disable

Update server url: nextwave.netscreen.com/key_retrieval
License key auto update : Disabled
Auto update interval : 0 days

The memory utilized by the ISG2000 looks about right.

Looks as if you only have 1GB memory on the ISG2000.  (get system | inc memory).

Per data sheet, max. # of sessions is 512K with only 1Gig memory.  1 million with 2 Gig memory.

Regards,

Sam

Hi, Sam,

Thanks, our current peak session numbers can reach 100K, is there any way I can reduce the supported session number to reduce memory usage?

Jian

with the ISG2000, i wouldn't be worried with the amount of memory available (> 10%, right?) if no dynamic routing is being done.

In any case, the following may work.  This solution was for 6.1, so no gurantees with 6.3.

http://kb.juniper.net/InfoCenter/index?page=content&id=TSB14694

1) set envar max-session=500064
2) reset

This will change the maximum number of session from 1048576 to 500064

Regards,

Sam