SRX Services Gateway
Highlighted
SRX Services Gateway

IPsec performance

‎05-22-2013 02:32 AM

Dear all,

I recently installed a srx240 cluster in a remote location. I'm in EMEA and they are in APAC. The remote site has a IPsec tunnel back to the HQ in EMEA but performance is quite poor.

 

1. Besides latency of the physical distance is there any way I can improve the performance of the traffic between the two sites?

 

2. I heard mention of the "set security flow tcp-mss ipsec-vpn mss 1350" command, might this improve things?

 

3. The HQ side has a SSG and many IPsec tunnels, what is the ssg equivalent of the above command?

 

4. Can you apply this command to a specific IPsec tunnel rather than all of them on the firewall?

 

Many thanks,

 

Paul

 

2 REPLIES 2
SRX Services Gateway

Re: IPsec performance

‎05-22-2013 06:33 AM

Hi,

 

What is the exact issues you are experiencing?  Bandwidth?

 

 

1.Are there any errors on the interfaces or any fragmentation?

 

2. This may improve things if fragmentation is the issue, 1350 is a recommended tcp-mss for VPNs,

 

http://kb.juniper.net/InfoCenter/index?page=content&id=KB6346

 

3. user@ssg-> set flow vpn-tcp-mss 1350

 

4. The command will be for all VPNs

 

 

MMcD [JNCIP-SEC, JNCIS-ENT, CCNA, MCP]
____________________________________________________

[Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too]
SRX Services Gateway

Re: IPsec performance

‎05-22-2013 02:32 PM

I was seeing a performance issue with site-to-site VPN's until I made both ends mss 1350. On sites that the connection type was PPPOE i had to do a 'set security flow tcp-mss all-tcp mss 1350' due to fragmentation issues with traffic outside the tunnel.

 

I apologize that I'm not versed in the SSG platform but it seems to be written up on this KB45866