SRX

Hi guys,

My ISP is Xilo.net and the default mtu is 1432. I was orginally using a J2320 device with the following configuration.

et interfaces pp0 unit 0 ppp-options chap default-chap-secret "$9$ghJik5T3t0BZUAp0OREs2gJik"
set interfaces pp0 unit 0 ppp-options chap local-name "17815@tw.uno.net.uk"
set interfaces pp0 unit 0 ppp-options chap no-rfc2486
set interfaces pp0 unit 0 ppp-options chap passive
set interfaces pp0 unit 0 pppoe-options underlying-interface ge-0/0/0.0
set interfaces pp0 unit 0 pppoe-options idle-timeout 0
set interfaces pp0 unit 0 pppoe-options auto-reconnect 10
set interfaces pp0 unit 0 pppoe-options client
set interfaces pp0 unit 0 family inet mtu 1432
set interfaces pp0 unit 0 family inet sampling input
set interfaces pp0 unit 0 family inet sampling output
set interfaces pp0 unit 0 family inet negotiate-address

set security flow tcp-mss all-tcp mss 1350

Website load ok.

So Today I went about migrating out of my J series box and into the SRX 110

It is configured so fe-0/0/0 is the port which connects the draytek modem and the pppoe / pp0 adapter dials the connection and authentications.

I can have no issues establising a connection my issues start once the connection has established pages load very slowly with the above configuration some pages dont load so I decided to ditch the J series config and remake one for the srx

This is the srx110 config now

set system name-server 193.150.34.1
set system name-server 91.230.181.1
set system name-server 8.8.8.8
set interfaces fe-0/0/0 unit 0 encapsulation ppp-over-ether
set interfaces pp0 unit 0 ppp-options chap default-chap-secret "$9$VIYJGkqfn9A24369Cu0NdVYJG"
set interfaces pp0 unit 0 ppp-options chap local-name "17815@tw.uno.net.uk"
set interfaces pp0 unit 0 ppp-options chap no-rfc2486
set interfaces pp0 unit 0 ppp-options chap passive
set interfaces pp0 unit 0 pppoe-options underlying-interface fe-0/0/0.0
set interfaces pp0 unit 0 pppoe-options idle-timeout 0
set interfaces pp0 unit 0 pppoe-options auto-reconnect 10
set interfaces pp0 unit 0 pppoe-options client
set interfaces pp0 unit 0 family inet negotiate-address

set routing-options static route 0.0.0.0/0 next-hop pp0.0

With the config like this I can ping google.com -f -l 1432 - This is the correct MTU packet size.

so I added set interfaces pp0 unit 0 family inet mtu 1432

I still have slow internet..

I then decided to play around with

Set security flow tcp-mss all-tcp mss and inserted ranges from 1200 upwards to 1400 - this made very little difference.

I have also tried removing the mtu from the pp0 adapter and only configuring / the mss settings

no matter what i do the pages load slowly.

ideas any one ?

Hi Cmia,

                  Which version of Junos was running in J2330?  In SRX110, you can try the following

Disable tcp syn and tcp seq check

set security flow tcp-session no-syn-check
set security flow tcp-session no-sequence-check

commit

Additionally, you can disable un-used process to free up SRX110 resource, as described in the below KB

http://kb.juniper.net/InfoCenter/index?page=content&id=KB28933&actp=search&viewlocale=en_US&searchid=1399542612728

I hope disabling tcp syn and tcp seq should increase throughput.

Thanks,

SHKM

Hi,

On the SRX JUNOS Software Release [11.2R3.3]
On the J2320 JUNOS Software Release [11.1R4.4]

I will try disabling tcp syn / check 🙂

Further reading into this this the tcp syn check feature is basically the packets become more secure.

As a state less firewall this added another level of security, but disabling this removes the advantage.

The SRX has one virtual router which is only for the dmz. 

And the main router is used for the other I.net zones.

The j series has 2 virtual routers as well as the main I.net

None of these routers are actually live, I purchased the j2320 upgraded the cpu from a celron to a p4 2.8 gig and added another 1gb of ram talking it to 1.5gb.

The j series was to take over a ssg20 but it was alittle too loud and winey so I purchased an srx110.

I don't understand why it's not working

Disable tcp syn and tcp seq check

set security flow tcp-session no-syn-check
set security flow tcp-session no-sequence-check

 I disagree.  These are important basic checks on a modern firewall and should rarely be disabled.

Are you running UTM/IDP, packet filters, or traceoptions by chance?

Both of the boxes have the factory UTM/ IDP stuff.

No trace options on the SRX but running trace options on the J series!

Attachment(s)

configuration.txt   11 KB 1 version

What about file transfers to IP addresses instead of domain names..... Wonder if it's a resolving issue..?

I just want to update this post 🙂

It seems nothing was wrong with the config but the SRX needed a reboot.

I have never had to reboot any of my Junipers becuase I made a new connection!