SRX Services Gateway
SRX Services Gateway

Slow video streaming SRX220

‎08-09-2013 07:46 AM

 

We've had an SRX220 installed for about a year now with little problems.  However, we have been getting complaints from users that there is an extreme amount of "Buffering" going on with youtube videos.  It does not seem to be any specific video, just overall buffering of streaming content.

 

When connecting to the "outside" zone of the firewall by an external switch, videos are fluid and do not buffer.  Once I connect back behind the device, then they start buffering.  Downloads are fine, web browsing has not issues, just video.

 

Any thoughts what might be hanging up the streaming?

 

Thanks!

 

JS

 

9 REPLIES 9
SRX Services Gateway

Re: Slow video streaming SRX220

‎08-09-2013 08:51 AM

Hi

 

I saw something similar to this with my SRX220.

 

Look at your IDS screen:  Here is mine.

 

    screen {
        ids-option untrust-screen {
            icmp {
                large;
                ping-death;
            }
            ip {
                bad-option;
                security-option;
                inactive: spoofing;
                source-route-option;
                strict-source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    timeout 10;
                }
                land;
                winnuke;
            }
        }
    }

 

Also what version of Junos are you running?

 

Can you post your config (minus passwords and external IP addresses).

SRX Services Gateway

Re: Slow video streaming SRX220

‎08-12-2013 12:16 PM

Sure, here it is

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



version 11.2R4.3;
system {
    host-name RTR;
    domain-name xxx.net;
    time-zone EST5EDT;
    authentication-order [ password radius tacplus ];
    root-authentication {
        encrypted-password "xxxxxx"; ## SECRET-DATA
    }
    name-server {
        192.168.1.251;
        209.18.47.61;
        209.18.47.62;
        208.67.222.222;
        208.67.220.220;
    }
    login {
        user admin {
            full-name admin;
            uid 101;
            class super-user;
            authentication {
                encrypted-password "$xxxxxx"; ## SECRET-DATA
            }
        }
    }
    services {
        ssh;
        telnet;
        xnm-clear-text;
        web-management {
            http {
                interface [ vlan.0 ge-0/0/0.0 ];
            }
            https {
                system-generated-certificate;
                interface [ vlan.0 ge-0/0/0.0 ];
            }
        }
        dhcp {
            router {
                192.168.200.1;
            }
            pool 192.168.1.0/24 {
                address-range low 192.168.1.60 high 192.168.1.199;
                exclude-address {
                    192.168.1.108;
                }
                name-server {
                    192.168.1.251;
                    8.8.8.8;
                }
                router {
                    192.168.1.1;
                }
            }
            pool 192.168.10.0/24 {
                address-range low 192.168.10.100 high 192.168.10.254;
                router {
                    192.168.10.1;
                }
            }
            propagate-settings ge-0/0/0.0;
        }
    }
    syslog {
        archive size 100k files 3;
        user * {
            any emergency;
        }
        file messages {
            any critical;
            authorization info;
        }
        file interactive-commands {
            interactive-commands error;
        }
    }
    max-configurations-on-flash 5;
    max-configuration-rollbacks 5;
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
        }
    }
    ntp {
        server 128.138.141.172;
    }
}
interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                address x.x.x.x/28;
            }
        }
    }
    ge-0/0/1 {
        unit 0 {
            family ethernet-switching {
                port-mode access;
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    ge-0/0/2 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    ge-0/0/3 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/4 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    ge-0/0/5 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    ge-0/0/6 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    ge-0/0/7 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    ge-0/0/8 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    ge-0/0/9 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    ge-0/0/10 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    ge-0/0/11 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    ge-0/0/12 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    ge-0/0/13 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    ge-0/0/14 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    ge-0/0/15 {
        unit 0 {
            family ethernet-switching {
                port-mode access;
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    t1-3/0/0 {
        keepalives interval 10;
        encapsulation cisco-hdlc;
        t1-options {
            timeslots 1-24;
            line-encoding b8zs;
            framing esf;
        }
        unit 0 {
            family inet {
                address y.y.y.y/30;
            }
        }
    }
    lo0 {
        unit 0 {
            family inet {
                address 192.168.245.1/32;
            }
        }
    }
    vlan {
        unit 0 {
            proxy-arp;
            family inet {
                address 192.168.1.1/24;
                address 10.220.1.1/24;
            }
        }
        unit 1 {
            family inet {
                address 192.168.10.1/24;
            }
        }
    }
}
routing-options {
    interface-routes {
        rib-group inet IMPORT-PHY;
    }
    static {
        route 0.0.0.0/0 {
            next-hop x.x.x.x;
            qualified-next-hop y.y.y.y {
                preference 100;
            }
        }
        route 4.2.2.2/32 next-hop y.y.y.y ;
    }
    rib-groups {
        IMPORT-PHY {
            import-rib [ inet.0 routing-table-ISP2.inet.0 ];
        }
    }
}
protocols {
    stp;
}
policy-options {
    prefix-list PL01;
    prefix-list PL02;
}
security {
    utm {
        feature-profile {
            anti-virus {
                kaspersky-lab-engine {
                    profile junos-av-defaults {
                        scan-options {
                            no-intelligent-prescreening;
                        }
                    }
                }
                juniper-express-engine {
                    profile junos-eav-defaults {
                        scan-options {
                            no-intelligent-prescreening;
                        }
                    }
                }
            }
        }
    }
    flow {
        inactive: traceoptions {
            file jtac size 10m;
            flag basic-datapath;
            packet-filter p1 {
                protocol tcp;
                source-prefix 10.220.1.108/32;
                destination-prefix 10.220.1.1/32;
            }
            packet-filter p2 {
                protocol tcp;
                source-prefix 10.220.1.1/32;
                destination-prefix 10.220.1.108/32;
            }
        }
        tcp-mss {
            all-tcp {
                mss 1300;
            }
        }
        tcp-session {
            no-syn-check;
            no-sequence-check;
        }
    }
    screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    timeout 20;
                }
                land;
            }
        }
    }
    nat {
        source {
            rule-set trust-to-untrust {
                from zone trust;
                to zone untrust;
                rule source-nat-rule {
                    match {
                        source-address 10.220.1.0/24;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
            rule-set client_wl-to-untrust {
                from zone client_wireless;
                to zone untrust;
                rule source-nat-rule1 {
                    match {
                        source-address 192.168.10.0/24;
                        destination-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
        static {
            rule-set RS01 {
                from interface ge-0/0/0.0;
                rule RN01A {
                    match {
                        destination-address x.x.x.x/32;
                    }
                    then {
                        static-nat prefix 10.220.1.86/32;
                    }
                }
                rule RN01 {
                    match {
                        destination-address x.x.x.x/32;
                    }
                    then {
                        static-nat prefix 10.220.1.79/32;
                    }
                }
                rule RN01B {
                    match {
                        destination-address x.x.x.x/32;
                    }
                    then {
                        static-nat prefix 10.220.1.69/32;
                    }
                }
                rule RN01C {
                    match {
                        destination-address x.x.x.x/32;
                    }
                    then {
                        static-nat prefix 10.220.1.108/32;
                    }
                }
                rule RN01D {
                    match {
                        destination-address x.x.x.x/32;
                    }
                    then {
                        static-nat prefix 10.220.1.84/32;
                    }
                }
            }
            rule-set RS02 {
                from interface t1-3/0/0.0;
                rule RN02 {
                    match {
                        destination-address y.y.y.y/32;
                    }
                    then {
                        static-nat prefix 10.220.1.79/32;
                    }
                }
                rule RN02A {
                    match {
                        destination-address y.y.y.y/32;
                    }
                    then {
                        static-nat prefix 10.220.1.86/32;
                    }
                }
                rule RN02B {
                    match {
                        destination-address y.y.y.y/32;
                    }
                    then {
                        static-nat prefix 10.220.1.69/32;
                    }
                }
                rule RN02C {
                    match {
                        destination-address y.y.y.y/32;
                    }
                    then {
                        static-nat prefix 10.220.1.108/32;
                    }
                }
                rule RN02D {
                    match {
                        destination-address y.y.y.y/32;
                    }
                    then {
                        static-nat prefix 10.220.1.84/32;
                    }
                }
            }
        }
        proxy-arp {
            interface ge-0/0/0.0 {
                address {
                    x.x.x.x/32;
                }
            }
            interface t1-3/0/0.0 {
                address {
                    y.y.y.y/32;
                }
            }
        }
    }
    policies {
        from-zone trust to-zone untrust {
            policy trust-to-untrust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
            policy Policy01 {
                match {
                    source-address any;
                    destination-address [ YTC01 YTC02 YTC03 ];
                    application any;
                }
                then {
                    deny;
                }
            }
        }
        from-zone client_wireless to-zone untrust {
            policy client_wl-to-untrust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone untrust to-zone trust {
            policy untrust-to-trust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
    zones {
        security-zone trust {
            address-book {
                address Nginx x.x.x.x/32;
                address Nginx-no-nat 10.220.1.79/32;
            }
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                vlan.0;
                ge-0/0/15.0;
            }
        }
        security-zone untrust {
            address-book {
                address YTC01 173.194.55.0/24;
                address YTC02 74.125.0.0/16;
                address YTC03 206.11.0.0/16;
            }
            screen untrust-screen;
            interfaces {
                ge-0/0/0.0;
                t1-3/0/0.0;
            }
        }
        security-zone client_wireless {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                vlan.1;
            }
        }
    }
}
firewall {
    filter FILTER1 {
        term TERM1 {
            from {
                destination-address {
                    y.y.y.y/32;
                }
            }
            then {
                routing-instance routing-table-ISP2;
            }
        }
        term default {
            then accept;
        }
    }
}
routing-instances {
    routing-table-ISP2 {
        instance-type forwarding;
        routing-options {
            static {
                route 0.0.0.0/0 {
                    next-hop y.y.y.y;
                    qualified-next-hop x.x.x.x {
                        preference 100;
                    }
                }
            }
        }
    }
}
services {
    rpm {
        probe Probe-Server1 {
            test RR {
                target address 24.164.117.98;
                probe-count 3;
                probe-interval 5;
                test-interval 2;
                thresholds {
                    successive-loss 2;
                    total-loss 3;
                }
                next-hop x.x.x.x;
            }
        }
        probe Probe-Server2 {
            test CANNET {
                target address 8.8.8.8;
                probe-count 3;
                probe-interval 5;
                test-interval 2;
                thresholds {
                    successive-loss 2;
                    total-loss 3;
                }
                next-hop y.y.y.y;
            }
        }
    }
    ip-monitoring {
        policy Server-Tracking1 {
            match {
                rpm-probe Probe-Server1;
            }
            then {
                preferred-route {
                    route 0.0.0.0/0 {
                        next-hop y.y.y.y;
                    }
                }
            }
        }
    }
}
vlans {
    vlan-client_wireless {
        vlan-id 4;
        interface {
            ge-0/0/3.0;
        }
        l3-interface vlan.1;
    }
    vlan-trust {
        vlan-id 3;
        l3-interface vlan.0;
    }
}

SRX Services Gateway

Re: Slow video streaming SRX220

‎08-12-2013 11:53 PM

There is a newer version of Junos 11.4R8.4 or 12.1R7.9.  I remember that several i ahve the same issue a while ago. 

The screen filter changes and a Junos upgrade fixed my issue.

 

You can set the untrust screen filter to inactive.  Then do a test to see if this has helped.

 

E.G.

inactve:  screen untrust-screen;

 

You can also look to see if the untrust screen is the cause.  From the CLI

 

show security screen statistics zone untrust
show security screen ids-option untrust-screen


 

SRX Services Gateway

Re: Slow video streaming SRX220

‎08-13-2013 03:18 AM

There are a number of things that could be the cause.  Did this start out of the blue while using the same software version or did you notice after an upgrade?  If using UTM/Application Identification features, it could be a bad signature update.  For a while, the signatures had a bug causing them not to ID any traffic on my SRX650.  Then one day they started working again after an updated signature.  This would change firewall behavior overnight if using any of these features.   I would look into PR886204 and PR855056 and make sure these don't affect you.  I also got bit in the rear end by these; caused very slow application performance.

 

Hope some of this helps.

SRX Services Gateway

Re: Slow video streaming SRX220

‎08-13-2013 09:04 AM

Thanks for the suggestions.  I'll try these out and post back what happens.

SRX Services Gateway

Re: Slow video streaming SRX220

‎10-21-2013 08:44 AM

Hey guys

 

Finally was able to update to 11.4R9.4 and still no luck.

 

Thanks

 

Joe

SRX Services Gateway

Re: Slow video streaming SRX220

‎07-13-2014 11:44 PM

I'm seeing this exact same issue on our SRX650 running 10.4R10.7 (yes i know it needs an upgrade).  I havent tried changing the screen settings as yet. jseiler did you ever get a solution?

SRX Services Gateway

Re: Slow video streaming SRX220

‎08-01-2014 01:22 PM

If you're running IDP, check if you are seeing a lot of "TCP:ERROR:FLOW-MEMORY-EXCEEDED" alerts.  This started happening to our SRX 220 maybe a month ago or so when the rules were updated.  I had to exempt it because it would kick off for a lot of YouTube videos as well as downloading anything from HP's FTP servers.

SRX Services Gateway

Re: Slow video streaming SRX220

‎08-10-2014 10:20 PM

Updating the firmware to 12.1 resolved the issue.