SRX Services Gateway
Highlighted
SRX Services Gateway

SRX240 Internet Speed slow

‎03-14-2013 03:13 PM

Dear Community,

 

We have a SRX240 A-P cluster in place.

The Untrust Zone is based on reth15 which is on ge-0/0/15 and ge-5/0/15. On these ports the ISP Link is connected through a Brocade Switch. The speed settings are on both sides 1g full-duplex for these ports.

When i do a internet speedtest on a physical machine with a 1Gbps NIC behind the SRX e.g. in Trust Zone, it shows me everythime only an amount of max. 50 Mbps Up and Download Speed.

In fact we have a 1Gbps Download and also more than 50Mbps Upload Speed.

 

When i have a look into the untrust reth interface while measuring it also reflexes the 50 Mbps (throughput)

 

root@mysrx240> show interfaces reth15.0
  Logical interface reth15.0 (Index 80) (SNMP ifIndex 565)
    Flags: SNMP-Traps 0x0 Encapsulation: ENET2
    Statistics        Packets        pps         Bytes          bps
    Bundle:
        Input :      43649400       4484   21541080613     48689304
        Output:      45514690       2374   24440264763      2118176
    Security: Zone: untrust
    Allowed host-inbound traffic : https ike ping ssh
    Protocol inet, MTU: 1500
      Flags: Sendbcast-pkt-to-re
      Addresses, Flags: Is-Preferred Is-Primary

 

Where could we have our bottleneck on the SRX?

I mean the throughput should definitely be higher, shouldn't it?

 

The cpu of the SRX is fine... somewhere 60% idle....

Could it be an issue because we are using source and destination NAT?

We dont have that much security policies (about 50) so i dont think its because of too much policies...

Everything else is working perfect, just the internet speed behind the SRX is always stopping at around 50Mbps.

 

I'm thankful for any hint or ideas...

 

 

 

 

12 REPLIES 12
Highlighted
SRX Services Gateway

Re: SRX240 Internet Speed slow

‎03-15-2013 03:08 AM

Depending on the length of time your speedtest runs for, it is very unlikely that you will see the full 1Gbps utilised between a single host and a single endpoint.

 

A better test would be to set multiple machines off to download a large file (via HTTP or FTP) and let the connections ramp up over time (>30s).

Ben Dale
JNCIP-ENT, JNCIP-SP, JNCIP-DC, JNCIE-SEC #63
Juniper Ambassador
Follow me @labelswitcher
Highlighted
SRX Services Gateway

Re: SRX240 Internet Speed slow

[ Edited ]
‎03-15-2013 07:46 AM

Yes i agree dfex, but if if download e.g. the service pack file for windows 2008 from Microsoft Server it shows me about the same value....2.6 MB/s only.....

 

And if i test the ports on the Brocade switch where the Untrust ports from the SRX240 are connected to, i got the full download speed...

 

So it must definitely somewhere within the SRX240 thats causes the bottleneck....

Highlighted
SRX Services Gateway

Re: SRX240 Internet Speed slow

‎03-17-2013 03:01 PM

Have you set your max-segment size?

 

 

set security flow tcp-mss all-tcp mss 1350

 

 

Highlighted
SRX Services Gateway

Re: SRX240 Internet Speed slow

‎03-18-2013 02:03 AM

Yes. it was already set.

 

tcp-mss {
    all-tcp {
        mss 1350;
    }
    ipsec-vpn {
        mss 1350;
    }
}

 

I'm really asking myself, if either the throughput from the SRX240 is at its limit, or if any other things like NAT etc. could reduce the throuput speed to our deep value?

 

 

Highlighted
SRX Services Gateway

Re: SRX240 Internet Speed slow

‎03-18-2013 03:38 AM

The SRX 240 should be able to do 500mbit/sec (rated for 1.5gbit for large packets).

 

I push 250mbit+ through mine without issues. I've got multiple zones, vlans, vpns, policies and nat rules. So it shouldn't be a hardware limitation.

 

Please post your configuration and what version of JunOS you are running.

Highlighted
SRX Services Gateway

Re: SRX240 Internet Speed slow

‎03-18-2013 04:24 AM

Speed test results are not accurate most of the times as I have seen..

 

If you do a IPERT test you will see almost the same results...speed not more then 50Mbps..

Also consider that your PC NIC is 100Mbps not 1Gig

 

However if you do an IPERF test using option -u (UDP) and -b (Bandwidth) 1000m then you will see 100% utilization.

 

What I would recommend is test with more then one tool and try actlual FTP upload for correct results.

 

Also please consider for VPN the device can handle only 350Mbps of traffic as per the datasheet.

 

Hope this helps.

 

Regards,

Sachin

 

Highlighted
SRX Services Gateway
Solution
Accepted by topic author IT-onBaseGmbH
‎08-26-2015 01:27 AM

Re: SRX240 Internet Speed slow

[ Edited ]
‎03-26-2013 06:23 PM

Finally the solution was:

 

We had a deactivated "security flow traceoptions".

Yes it was deactivated, but the packet filter was still working somehow.

Therefore "nstraced" daemon was running high, so after deleting the trace options, the bandwidth was utilized as expected.

 

Learning: After using traceoption never just deactivate them, but always delete them again.

Highlighted
SRX Services Gateway

Re: SRX240 Internet Speed slow

‎03-27-2013 01:13 PM

@IT-onBaseGmbH wrote:

Finally the solution was:

 

We had a deactivated "security flow traceoptions".

Yes it was deactivated, but the packet filter was still working somehow.

Therefore "nstraced" daemon was running high, so after deleting the trace options, the bandwidth was utilized as expected.

 

Learning: After using traceoption never just deactivate them, but always delete them again.


 

This is quite interesting.  Could you post what Junos version you're running?  Have you checked with JTAC to see if this is a bug?

 

I know a lot of places that leave traceoptions in place and keep them deactivated, so that operations staff can go in and enable them when necessary for troubleshooting without having to recreate them every time.  I would think that this behavior may be a bug, and if so the details and affected versions should be made known.

 

If this is indeed something that's "behavior by design" then I'm going to have to be sure I advise people of it when I see it.

 

 

-kr


---
If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated.
Highlighted
SRX Services Gateway

Re: SRX240 Internet Speed slow

[ Edited ]
‎05-16-2013 12:34 AM

We also have the SRX240 in cluster mode and having the same issues.

I checked and removed the traceoptions but problem is still there.

speed test is showing 1 - 5 Mbps in downloading but interestingly 80-90 Mbps in uploading.

 

Any suggestions and clues ?

 

 

 Thanks

SRX Services Gateway

Re: SRX240 Internet Speed slow

‎12-08-2016 08:21 AM

Were you able to find the solution, running SRX340 with similar issues . We have IPsec tunnels back to main Data center for all the traffice. Upload is fine but download is low as 1.2MB on 50MB dedicated pipe

Highlighted
SRX Services Gateway

Re: SRX240 Internet Speed slow

‎12-17-2016 04:34 AM

Hi All,

 

 

I have the same issue on SRX1500 chassis cluster. Does some have the soution ?

 

 

Thanks

Highlighted
SRX Services Gateway

Re: SRX240 Internet Speed slow

‎10-04-2018 05:56 AM

I actually resolved my issue by changing the patch cable. I did not realize that the cable was cat5e, once i changed to cat6 i got the speeds i was expecting.

Feedback