SRX Services Gateway
Highlighted
SRX Services Gateway

packet loss and high response time for some computers through vpn tunnel between srx100 and paloalto firewall

‎01-29-2020 11:16 PM

We are experiencing a strange behavior for a VPN tunnel between srx100 and Palo alto firewall. SRX firewall is in branch and Paloalto firewall in HO. Some users behind Srx are complaining of packet loss and high response time when pinging to the server behind Paloalto. Please see the ping results.

Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

C:\Users\Administrator>ping 172.30.3.70

Pinging 172.30.3.70 with 32 bytes of data:
Reply from 172.30.3.70: bytes=32 time=193ms TTL=126
Request timed out.
Request timed out.
Reply from 172.30.3.70: bytes=32 time=185ms TTL=126

Ping statistics for 172.30.3.70:
Packets: Sent = 4, Received = 2, Lost = 2 (50% loss),
Approximate round trip times in milli-seconds:
Minimum = 185ms, Maximum = 193ms, Average = 189ms

C:\Users\Administrator>ping 172.30.3.71

Pinging 172.30.3.71 with 32 bytes of data:
Reply from 172.30.3.71: bytes=32 time=2ms TTL=126
Reply from 172.30.3.71: bytes=32 time=2ms TTL=126
Reply from 172.30.3.71: bytes=32 time=3ms TTL=126

Ping statistics for 172.30.3.71:
Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 2ms, Maximum = 3ms, Average = 2ms
Control-C
^C
C:\Users\Administrator>ping 172.30.3.73

Pinging 172.30.3.73 with 32 bytes of data:
Reply from 172.30.3.73: bytes=32 time=2ms TTL=126
Reply from 172.30.3.73: bytes=32 time=2ms TTL=126
Reply from 172.30.3.73: bytes=32 time=7ms TTL=126
Reply from 172.30.3.73: bytes=32 time=3ms TTL=126

Ping statistics for 172.30.3.73:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 2ms, Maximum = 7ms, Average = 3ms

C:\Users\Administrator>

C:\Users\Administrator>ping 172.30.3.74

Pinging 172.30.3.74 with 32 bytes of data:
Request timed out.
Request timed out.
Reply from 172.30.3.74: bytes=32 time=184ms TTL=126
Reply from 172.30.3.74: bytes=32 time=184ms TTL=126

Ping statistics for 172.30.3.74:
Packets: Sent = 4, Received = 2, Lost = 2 (50% loss),
Approximate round trip times in milli-seconds:
Minimum = 184ms, Maximum = 184ms, Average = 184ms

C:\Users\Administrator>ping 172.30.3.75

Pinging 172.30.3.75 with 32 bytes of data:
Reply from 172.30.3.75: bytes=32 time=2ms TTL=126
Reply from 172.30.3.75: bytes=32 time=2ms TTL=126
Reply from 172.30.3.75: bytes=32 time=2ms TTL=126
Reply from 172.30.3.75: bytes=32 time=3ms TTL=126

Ping statistics for 172.30.3.75:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 2ms, Maximum = 3ms, Average = 2ms

C:\Users\Administrator>ping 172.30.3.82

Pinging 172.30.3.82 with 32 bytes of data:
Reply from 172.30.3.82: bytes=32 time=185ms TTL=126
Reply from 172.30.3.82: bytes=32 time=185ms TTL=126
Reply from 172.30.3.82: bytes=32 time=184ms TTL=126
Reply from 172.30.3.82: bytes=32 time=185ms TTL=126

Ping statistics for 172.30.3.82:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 184ms, Maximum = 185ms, Average = 184ms

C:\Users\Administrator>ping 172.30.3.83

Pinging 172.30.3.83 with 32 bytes of data:
Reply from 172.30.3.83: bytes=32 time=3ms TTL=126
Reply from 172.30.3.83: bytes=32 time=2ms TTL=126
Reply from 172.30.3.83: bytes=32 time=3ms TTL=126
Reply from 172.30.3.83: bytes=32 time=3ms TTL=126

Ping statistics for 172.30.3.83:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 2ms, Maximum = 3ms, Average = 2ms

C:\Users\Administrator>ping 172.30.3.94

Pinging 172.30.3.94 with 32 bytes of data:
Reply from 172.30.3.94: bytes=32 time=184ms TTL=126
Reply from 172.30.3.94: bytes=32 time=185ms TTL=126
Request timed out.
Request timed out.

Ping statistics for 172.30.3.94:
Packets: Sent = 4, Received = 2, Lost = 2 (50% loss),
Approximate round trip times in milli-seconds:
Minimum = 184ms, Maximum = 185ms, Average = 184ms

 

for example, ping from server 172.16.0.135 to client 172.30.3.70 is showing packet loss and high response time but at the same time, ping from server 172.16.0.135 to client 172.30.3.71 is not showing packet loss.

 

Can anyone help me to solve the issue?

 

 

Thanks,
Jsree

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too .....
5 REPLIES 5
Highlighted
SRX Services Gateway

Re: packet loss and high response time for some computers through vpn tunnel between srx100 and paloalto firewall

‎01-29-2020 11:23 PM

My srx configuration

 

set version 12.1X44-D36
set system host-name BOOKSTALL
set system root-authentication encrypted-password 
set system services ssh
set system services dns dns-proxy interface vlan.0
set system services dns dns-proxy default-domain * forwarders 8.8.8.8
set system services dns dns-proxy default-domain * forwarders 208.67.220.220
set system services dns dns-proxy default-domain mpp.com forwarders 172.16.0.130
set system services web-management http interface vlan.0
set system syslog archive size 100k
set system syslog archive files 3
set system syslog user * any emergency
set system syslog file messages any critical
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands error
set system max-configurations-on-flash 5
set system max-configuration-rollbacks 5
set interfaces fe-0/0/0 unit 0 encapsulation ppp-over-ether
set interfaces fe-0/0/1 unit 0 family ethernet-switching vlan members book-lan
set interfaces fe-0/0/3 unit 0 family ethernet-switching vlan members book-cctv
set interfaces fe-0/0/4 unit 0 family ethernet-switching vlan members book-lan
set interfaces fe-0/0/5 unit 0 family ethernet-switching vlan members book-lan
set interfaces fe-0/0/6 unit 0 family ethernet-switching vlan members book-lan
set interfaces pp0 unit 0 apply-macro bsnl-ffth
set interfaces pp0 unit 0 ppp-options chap default-chap-secret ""
set interfaces pp0 unit 0 ppp-options chap local-name ""
set interfaces pp0 unit 0 ppp-options chap no-rfc2486
set interfaces pp0 unit 0 ppp-options chap passive
set interfaces pp0 unit 0 ppp-options pap local-name ""
set interfaces pp0 unit 0 ppp-options pap no-rfc2486
set interfaces pp0 unit 0 ppp-options pap local-password ""
set interfaces pp0 unit 0 ppp-options pap passive
set interfaces pp0 unit 0 pppoe-options underlying-interface fe-0/0/0.0
set interfaces pp0 unit 0 pppoe-options idle-timeout 0
set interfaces pp0 unit 0 pppoe-options auto-reconnect 5
set interfaces pp0 unit 0 pppoe-options client
set interfaces pp0 unit 0 family inet negotiate-address
set interfaces st0 unit 0 point-to-point
set interfaces st0 unit 0 family inet address 172.30.3.66/27
set interfaces vlan unit 0 family inet address 172.30.3.65/27
set interfaces vlan unit 1 family inet filter input output-limit
set interfaces vlan unit 1 family inet filter output output-limit
set interfaces vlan unit 1 family inet address 172.30.3.225/28
set routing-options static route 172.16.0.0/16 next-hop st0.0
set routing-options static route 0.0.0.0/0 next-hop pp0.0
set routing-options static route 172.18.0.0/16 next-hop st0.0
set routing-options static route 10.10.0.0/16 next-hop st0.0
set security ike policy delhi mode main
set security ike policy delhi proposal-set standard
set security ike policy delhi pre-shared-key ascii-text ""
set security ike gateway ike-delhi ike-policy delhi
set security ike gateway ike-delhi address x.x.x.x
set security ike gateway ike-delhi external-interface pp0
set security ipsec policy delhivpn proposal-set standard
set security ipsec vpn ike-delhi bind-interface st0.0
set security ipsec vpn ike-delhi ike gateway ike-delhi
set security ipsec vpn ike-delhi ike ipsec-policy delhivpn
set security ipsec vpn ike-delhi establish-tunnels immediately
set security flow tcp-mss all-tcp mss 1350
set security flow tcp-mss ipsec-vpn mss 1350
set security nat source rule-set lan-untrust from zone trust
set security nat source rule-set lan-untrust to zone untrust
set security nat source rule-set lan-untrust rule lan-untrust match source-address 0.0.0.0/0
set security nat source rule-set lan-untrust rule lan-untrust match destination-address 0.0.0.0/0
set security nat source rule-set lan-untrust rule lan-untrust then source-nat interface
set security nat source rule-set cctv-untrust from zone cctv
set security nat source rule-set cctv-untrust to zone untrust
set security nat source rule-set cctv-untrust rule cctv-untrust match source-address 0.0.0.0/0
set security nat source rule-set cctv-untrust rule cctv-untrust match destination-address 0.0.0.0/0
set security nat source rule-set cctv-untrust rule cctv-untrust then source-nat interface
set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any
set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit
set security policies from-zone vpn to-zone trust policy vpn-trust match source-address any
set security policies from-zone vpn to-zone trust policy vpn-trust match destination-address any
set security policies from-zone vpn to-zone trust policy vpn-trust match application any
set security policies from-zone vpn to-zone trust policy vpn-trust then permit
set security policies from-zone trust to-zone vpn policy trust-vpn match source-address any
set security policies from-zone trust to-zone vpn policy trust-vpn match destination-address any
set security policies from-zone trust to-zone vpn policy trust-vpn match application any
set security policies from-zone trust to-zone vpn policy trust-vpn then permit
set security policies from-zone cctv to-zone untrust policy cctv-to-untrust match source-address any
set security policies from-zone cctv to-zone untrust policy cctv-to-untrust match destination-address any
set security policies from-zone cctv to-zone untrust policy cctv-to-untrust match application any
set security policies from-zone cctv to-zone untrust policy cctv-to-untrust then permit
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces vlan.0
set security zones security-zone untrust host-inbound-traffic system-services ping
set security zones security-zone untrust host-inbound-traffic system-services ike
set security zones security-zone untrust interfaces pp0.0
set security zones security-zone vpn host-inbound-traffic system-services all
set security zones security-zone vpn interfaces st0.0
set security zones security-zone cctv host-inbound-traffic system-services all
set security zones security-zone cctv host-inbound-traffic protocols all
set security zones security-zone cctv interfaces vlan.1
set firewall family inet filter output-limit term 0 from source-address 0.0.0.0/0
set firewall family inet filter output-limit term 0 then policer policer-5mb
set firewall family inet filter output-limit term 0 then accept
set firewall policer policer-5mb if-exceeding bandwidth-limit 5m
set firewall policer policer-5mb if-exceeding burst-size-limit 625k
set firewall policer policer-5mb then discard
set vlans book-cctv vlan-id 3
set vlans book-cctv l3-interface vlan.1
set vlans book-lan vlan-id 2
set vlans book-lan l3-interface vlan.0

Thanks,
Jsree

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too .....
Highlighted
SRX Services Gateway

Re: packet loss and high response time for some computers through vpn tunnel between srx100 and paloalto firewall

‎01-30-2020 03:49 PM
for example, ping from server 172.16.0.135 to client 172.30.3.70 is showing packet loss and high response time but at the same time, ping from server 172.16.0.135 to client 172.30.3.71 is not showing packet loss.

Well the network path for both of these tests is the same

The source side server is the same for both

Thus the only difference is the destination client address

 

So it would seem the issue would be with some client specific configuration or client specific connection issue like cabling or port not the general vpn path that both share.

 

A minor issue is these two interfaces being put in the same subnet.  

set interfaces st0 unit 0 family inet address 172.30.3.66/27
set interfaces vlan unit 0 family inet address 172.30.3.65/27

The st0 tunnel interfaces are virtual link interfaces that should be thought as a point to point link over the vpn tunnel created.  In your case there is not vitual interface on the other side like another srx so any address or even having this unnumbered to the vpn interface is fine.

 

But setting this to an address that overlaps the internal vlan would not be a good practice.  However, as long as it was not duplicated or accidently used as a routing gateway no harm should occur.

 

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Highlighted
SRX Services Gateway

Re: packet loss and high response time for some computers through vpn tunnel between srx100 and paloalto firewall

‎02-03-2020 05:31 AM

Hi,

 

Thanks for helping me, I followed a guide found here https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClJbCAK , I think created by you to configure the tunnel but I am using a static route instead of OSPF. It is working perfectly without any issue. But the response time for different clients to servers is different, for example, response time for client 172.16.2.1 to server 172.16.0.135 is 186 ms but at the same time, another client 172.16.2.2 to 172.16.0.135 is 50ms at the same time. If I ping another server 172.16.0.136 from 172.16.2.1 it will be 50ms, but the response time from 172.16.2.2 is 186 ms, what I am trying to say is response time is random and is not following a pattern. In the guide, it is mentioned to change the MTU size to 1350 in SRX side, do I need to change it at the Paloalto side also.

Thanks,
Jsree

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too .....
Highlighted
SRX Services Gateway

Re: packet loss and high response time for some computers through vpn tunnel between srx100 and paloalto firewall

‎02-03-2020 05:47 AM

You are right since the problem is random not fixed a good candidate is MSS on the vpn.  I did create that article on the PAN forums.  At the time MSS settings were not supported but they are now so you can match the 1350 on both sides to see if that helps.

 

https://docs.paloaltonetworks.com/pan-os/7-1/pan-os-new-features/networking-features/configurable-ms...

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Highlighted
SRX Services Gateway

Re: packet loss and high response time for some computers through vpn tunnel between srx100 and paloalto firewall

[ Edited ]
‎02-07-2020 08:39 AM

Hi,

 

I tried to change the MTU value at Paloalto tunnel, but the ping response is changing randomly. Is there any way we can troubleshoot this issue, according to Paloalto docs Paloalto automatically adjust-mss value.

Thanks,
Jsree

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too .....
Feedback