SRX

So we have an IPsec tunnel set up with an outside vendor, traffic through all other VPNs moves very quickly, but trickles at about 2Mb/s to them. They claim the same is happening on their end. I've ben trying to set up a log file on the route to see if there are massive packet drops or the like happening somehwere, following the instructions outlined here:

http://kb.juniper.net/InfoCenter/index?page=content&id=KB16108#configure_traceoptions

However, everytrime I run the fina 'show log flow-trace' command, I get this error: 'error: could not resolve file: flow-trace'. All the other commands execute without complaint. Am I missing something really obvious?

Hello,

This ususally happens when there is no traffic that is matching the file.

Hence the file is not created.

Please check the packet filter source and destination prefix are correct.

Also, you would only be seeing the traffic entering the tunnel, you would not be able to find the cause of slowness via this.

However you would be able to verify if the packets are entering the tunnel or if they are getting dropped before that.

You may try to improve the tunnel performance by seeting the correct MTU required as this could be due to a MTU issue as well.

Regards,

Shailesh

[KUDOS PLEASE! If you think I earned it!
If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]

I agree on the MTU.  I had an issue like this in ScreenOS where an outside vendor was using VMware Vshield on their side of the VPN.  Performance was similar to yours.  Once I hard coded the MTU the performance was fine.

Hi ,

You can set the MSS specifically for the VPN by using the below command;

root# set security flow tcp-mss ipsec-vpn mss <>

However, please note that this would cause the mss to chamnge for all the VPNs.

-Shailesh

[KUDOS PLEASE! If you think I earned it!
If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]

Hi Shailesh,

It would be weird if there were not traffic going through it at all, but I supposed it's possible. Being that I'm not the one who configured this, I have several VPNs not currently bound to interfaces. Is it 'safe' to bind an active VPN to an interface (logical interface), to monitor it better, or is there another way to go about that?

Thanks!

Hi,

Could you show me the output of the below;

show security flow traceoption | display set

-Shailesh

[KUDOS PLEASE! If you think I earned it!
If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]

Shailesh,

I got this:

set security flow traceoptions file CCP-trace
set security flow traceoptions file size 10m
set security flow traceoptions file world-readable
set security flow traceoptions flag all
set security flow traceoptions flag basic-datapath
set security flow traceoptions packet-filter p1 source-prefix 172.22.10.61/32
set security flow traceoptions packet-filter p2 destination-prefix 172.22.10.61/32
set security flow traceoptions packet-filter f0 destination-prefix 10.192.39.81/16
set security flow traceoptions packet-filter f1 destination-prefix 64.129.17.250/32
deactivate security flow traceoptions

then ran 'activate security flow traceoptions'.

I assume this was correct behavior, to be clear, this will capture data going from 172.22.10.61 to 64.129.17.250 and to 10.192.39.81. Correct? My log file seems to have an awful lot of garbage in it...

Hi,,

Are you checking the file as below;

>show log CCP-trace

If you are seeing lot of garbage, please clear the logs and then do a show again;

>clear log CCP-trace

>show log CCP-trace

Also it is a good practice to set it to specific ips instead of subnets.