SRX Services Gateway
SRX Services Gateway

Slow downloads on the client computers behind nat SRX 210

07.09.12   |  
‎07-09-2012 09:49 PM

Hi! I'm setting up SRX 210.

Model: srx210he
JUNOS Software Release [12.1R1.9]
I have a problem - using default values i get too slow downloads using http/ftp on the users PC behind SRX210.

It looks like download speed is limited per connection by default.

For example downloads iso image from  ftp://ftp.freebsd.org  shows download speed about 30-50 kilobytes per second.

My old PC-based linux router gives speed on this site over 1,5 Megabytes/sec using same ISP.

This is part of my config (all simple, there is nothing non-standard):

NAT

source {
        rule-set default-nat-rule {
        from zone trusted;
        to zone untrusted;
        rule default-nat {
            match {
                source-address 192.168.0.0/16;
            }
            then {
                source-nat {
                    interface;
                }
            }
        }
    }
}

POLICIES

from-zone trusted to-zone untrusted {
        policy nat_list {
            match {
                source-address nat_list_set;
                destination-address any;
                application any;
            }
            then {                      
                permit {
                    tcp-options {
                        syn-check-required;
                        sequence-check-required;
                    }
                }
            }
        }
    }


 

I tried to reduce the mtu/mss values, disabled UTM, set dns maximum-message-length 8192... It all has no effect.


Please help!

22 REPLIES
SRX Services Gateway

Re: Slow downloads on the client computers behind nat SRX 210

07.09.12   |  
‎07-09-2012 10:46 PM

At the very least, I would upgrade to the latest 12.1 release, which is 12.1R2.9.

SRX Services Gateway

Re: Slow downloads on the client computers behind nat SRX 210

07.10.12   |  
‎07-10-2012 12:17 AM

I upgraded last week to 12.1R2.9. But the problem was not solved. This version of firmware does not contain http-server for management SRX (I'm beginner in JunOS and console management only is not enough for me) and I rolled back to 12.1R1.9.

SRX Services Gateway

Re: Slow downloads on the client computers behind nat SRX 210

07.10.12   |  
‎07-10-2012 12:28 AM

Hi

 

I have a 210H and a 100H and both are running 12.1R2.9 and have JWEB  running fine.

Regardsing the slow speed.  Check your duplex/speed on your WAN port, assuming you are running use an ethernet based device.

If you are using at ADSL/VDLS PIM, then ignore this.

I did have very flow performace, and it was down to MTU/MSS and the screen IDS being too restrictive.

 

Security:

 

    flow {
        allow-dns-reply;
        syn-flood-protection-mode syn-cookie;
        tcp-mss {
            all-tcp {
                mss 1452;
            }
            ipsec-vpn {
                mss 1400;
            }
        }
        tcp-session {
            rst-invalidate-session;
            rst-sequence-check;
            strict-syn-check;
        }
    }


    screen {
        ids-option untrust-screen {
            icmp {
                large;
                ping-death;
            }
            ip {
                bad-option;
                security-option;
                inactive: spoofing; 
##### If you get your WAN IP via PPP or DHCP then you need to disable spoofing.
                source-route-option;
                strict-source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    timeout 10;
                }
                land;
                winnuke;
            }
        }
    }

 

 

 

SRX Services Gateway

Re: Slow downloads on the client computers behind nat SRX 210

07.10.12   |  
‎07-10-2012 02:39 AM

May i ask why you are using syn-check-required; and sequence-check-required;?

 

Kind regards,

Sebastian

SRX Services Gateway

Re: Slow downloads on the client computers behind nat SRX 210

07.10.12   |  
‎07-10-2012 05:18 AM

Thank you, johnrbaker for examle of security configuration!

But it does not reolves my problem.

 

I find out the problem persists downloading files via ftp, but on http everything works fine - download speed equals WAN speed.

 

If somebody downloads file via ftp logs on SRX210 looks like this:

Session ID: 57798, Policy name: nat_list/6, Timeout: 1738, Valid
Resource information : FTP ALG, 2, 0
  In: 192.168.0.7/45411 --> 204.152.184.73/21;tcp, If: ge-0/0/0.0, Pkts: 20, Bytes: 1084
  Out: 204.152.184.73/21 --> 62.117.117.20/4326;tcp, If: fe-0/0/2.0, Pkts: 34, Bytes: 2213

 

I already turn off alg in security ( set alg ftp disable),

now logs looks like this:

Session ID: 58935, Policy name: nat_list/6, Timeout: 1754, Valid
  In: 192.168.0.7/42625 --> 204.152.184.73/21;tcp, If: ge-0/0/0.0, Pkts: 24, Bytes: 1532
  Out: 204.152.184.73/21 --> 62.117.117.20/26887;tcp, If: fe-0/0/2.0, Pkts: 35, Bytes: 2679

 

But it still does not reslove the problem... Downloads via ftp is still too slow.

 

I still need help.

 

SRX Services Gateway

Re: Slow downloads on the client computers behind nat SRX 210

07.10.12   |  
‎07-10-2012 05:23 AM

Hi

 

Are you running the FTP ALG?  If so, try disabeling it.

 

What FTP client are you running?

SRX Services Gateway

Re: Slow downloads on the client computers behind nat SRX 210

07.10.12   |  
‎07-10-2012 05:25 AM

Sebastian, these options i use only on wan interfaces following these recommendations http://jsrx.juniperwiki.com/index.php?title=Syn_Check


For internal nets i use

no syn-check-required; and no sequence-check-required;

SRX Services Gateway

Re: Slow downloads on the client computers behind nat SRX 210

07.10.12   |  
‎07-10-2012 05:33 AM

moslift wrote:

Sebastian, these options i use only on wan interfaces following these recommendations http://jsrx.juniperwiki.com/index.php?title=Syn_Check


For internal nets i use

no syn-check-required; and no sequence-check-required;


Are you expecting asynchronous traffic?

SRX Services Gateway

Re: Slow downloads on the client computers behind nat SRX 210

07.10.12   |  
‎07-10-2012 05:36 AM

I currently disabled FTP ALG but it did not help me.

Download speed via ftp still slow.

Now i use built-in ftp-client in browsers Firefox and IE.

 

show security alg status                                
ALG Status :
  DNS      : Enabled
  FTP      : Disabled
  H323     : Enabled
  MGCP     : Enabled
  MSRPC    : Enabled
  PPTP     : Enabled
  RSH      : Enabled
  RTSP     : Enabled
  SCCP     : Enabled
  SIP      : Enabled
  SQL      : Enabled
  SUNRPC   : Enabled
  TALK     : Enabled
  TFTP     : Enabled
  IKE-ESP  : Disabled


SRX Services Gateway

Re: Slow downloads on the client computers behind nat SRX 210

07.10.12   |  
‎07-10-2012 05:39 AM

FYI

 

Apart from the IKE AGL, unless you need to, disable all ALG.  It can cause a lot of issues.  Streaming video etc.

 

What is you MSS/MTU Value?  What is your WAN connection type?

SRX Services Gateway

Re: Slow downloads on the client computers behind nat SRX 210

07.10.12   |  
‎07-10-2012 05:55 AM

gosi wrote:

moslift wrote:

Sebastian, these options i use only on wan interfaces following these recommendations http://jsrx.juniperwiki.com/index.php?title=Syn_Check


For internal nets i use

no syn-check-required; and no sequence-check-required;


Are you expecting asynchronous traffic?


Probably no, are you advise to globally turn off syn-check and sequence-check?

Highlighted
SRX Services Gateway

Re: Slow downloads on the client computers behind nat SRX 210

07.10.12   |  
‎07-10-2012 10:40 AM

moslift wrote:
Probably no, are you advise to globally turn off syn-check and sequence-check?

No, you should be fine. Could you please run flow traceoption to capture the traffic from your slow ftp transfer?

 

Kind regards,

Sebastian

SRX Services Gateway

Re: Slow downloads on the client computers behind nat SRX 210

07.11.12   |  
‎07-11-2012 11:42 PM

I turned off all ALG and now I have

 >show security alg status    
ALG Status :
  DNS      : Disabled
  FTP      : Disabled
  H323     : Disabled
  MGCP     : Disabled
  MSRPC    : Disabled
  PPTP     : Disabled
  RSH      : Disabled
  RTSP     : Disabled
  SCCP     : Disabled
  SIP      : Disabled
  SQL      : Disabled
  SUNRPC   : Disabled
  TALK     : Disabled
  TFTP     : Disabled
  IKE-ESP  : Disabled

But speed ftp downloads still remain at 25-35 kb/sec

 

I use mtu 1472 and mss 1300. Also set 'path-mtu-discovery'.

WAN connection type - ethernet.

SRX Services Gateway

Re: Slow downloads on the client computers behind nat SRX 210

07.11.12   |  
‎07-11-2012 11:59 PM
Hi

Your MTU value could still be an issue. Try 1452 to even lower.

What are the setting for your Ethernet WAN port? 100/Full Auto?


However I have just tried to ftp from the same site and I am only getting 300-400KBps
SRX Services Gateway

Re: Slow downloads on the client computers behind nat SRX 210

07.12.12   |  
‎07-12-2012 12:18 AM

> show security flow session source-prefix 192.168.0.7 destination-port 21
Session ID: 4496, Policy name: nat_list/6, Timeout: 1764, Valid
  In: 192.168.0.7/50189 --> 204.152.184.73/21;tcp, If: ge-0/0/0.0, Pkts: 25, Bytes: 1616
  Out: 204.152.184.73/21 --> 62.117.117.20/2065;tcp, If: fe-0/0/2.0, Pkts: 35, Bytes: 2678
Total sessions: 1

Policies are:

 

from-zone trusted to-zone untrusted {
            policy nat_list {
                match {
                    source-address nat_list_set;
                    destination-address any;
                    application any;
                }
                then {
                    permit {
                        tcp-options {
                            syn-check-required;
                            sequence-check-required;
                        }
                    }
                }
            }
        }
        default-policy {
            deny-all;
        }

 

And I add IP-addresses to nat_list, who need internet access (for example proxy-server).

SRX Services Gateway

Re: Slow downloads on the client computers behind nat SRX 210

07.12.12   |  
‎07-12-2012 12:38 AM

Hi

 

I am still getting flow FTP from the main freebsd site

 

Try one of its mirrors

 

ftp://ftp.uk.freebsd.org/pub/FreeBSD/releases/amd64/amd64/ISO-IMAGES/9.0/

 

My speed went from 300 to 1500KB/s

 

 

 

 

SRX Services Gateway

Re: Slow downloads on the client computers behind nat SRX 210

07.12.12   |  
‎07-12-2012 12:48 AM

100Mb, link-mode-auto.

 

I set mtu to 1452, then 1432, then to 1400. Problem still persists.

 

The command > show interfaces fe-0/0/2

shows me

Link-level type: Ethernet, MTU: 1514, Link-mode: Full-duplex, Speed: 100mbps

 

But in configuration i set 1452!

What to believe?

SRX Services Gateway

Re: Slow downloads on the client computers behind nat SRX 210

07.12.12   |  
‎07-12-2012 12:54 AM

The Ethernet link MTU is seperate to the IP MSS value.  Dont worry about it.

 

Does any other type of traffic have any speed/preformance issues?

 

What is te modem/router that the SRX is connected to?

 

Are you running any UTM on the SRX?

 

I would still suggest upgrading to 12.1R2.9

SRX Services Gateway

Re: Slow downloads on the client computers behind nat SRX 210

07.12.12   |  
‎07-12-2012 12:59 AM

Also

 

Run

 

show interfaces fe-0/0/2 statistics detail

 

 

Look for the Input/Output errors