1. Sorry, I did not understand this point. "show system statistics" and "show security flow statistics" report different things. While "show security flow staistics" provides flow(session) statistics, "show system statistics" provides RE bound stats.
3. As earlier mentioned you can use "show security flow status" to check whether SRX is working in packet mode or flow mode
I understand that it is in packet flow mode.... But based on your replies, what to say about the following current configuration on device relating to iso, ipsec-vpn and gre-in? Are these needed to be delete? Or how to double check they are not being used on security module on srx?
1-)Just checked and there is no is-is routing configuration, but there is only one statement as below. Should it be deleted or? 650srx> show configuration | display set | match iso set security forwarding-options family iso mode packet-based
2-) There is no any ike or ipsec configuration under the security stanza... And also I checked the following..nothing coming up....
show security ike security-associations show security ipsec security-associations
So are the following statements ready to deleted or? Just a little bit concerning about gre is related to gr-0/0/0 virtual interface?
set security flow tcp-mss ipsec-vpn set security flow tcp-mss gre-in mss 1360 set security flow tcp-mss gre-out
650srx> show configuration interfaces gr-0/0/0 | display set set interfaces gr-0/0/0 description tunnel_5" set interfaces gr-0/0/0 unit 0 clear-dont-fragment-bit set interfaces gr-0/0/0 unit 0 tunnel source 10.110.145.5 set interfaces gr-0/0/0 unit 0 tunnel destination 192.168.25.17 set interfaces gr-0/0/0 unit 0 tunnel allow-fragmentation set interfaces gr-0/0/0 unit 0 family inet mtu 1380 set interfaces gr-0/0/0 unit 0 family inet address 172.16.20.5/30
650srx> show interfaces terse | match gr gr-0/0/0 up up gr-0/0/0.0 up up inet 172.16.20.5/30 gre up up
3-) 650srx> show configuration interfaces st0 | display set ----->there is no any st0 config but it is up up shown below. Should it be administratively down? I mean "down down" as it is notbeing used?
650srx> show interfaces terse | match st0 st0 up up
650srx> show interfaces terse | match st st0 up up
650srx> show interfaces st0 extensive ------------->there is no traffic either.... Physical interface: st0, Enabled, Physical link is Up Interface index: 134, SNMP ifIndex: 503, Generation: 137 Type: Secure-Tunnel, Link-level type: Secure-Tunnel, MTU: 9192, Speed: Unspecified Hold-times : Up 0 ms, Down 0 ms Device flags : Present Running Interface flags: Point-To-Point Statistics last cleared: Never Traffic statistics: Input bytes : 0 0 bps Output bytes : 0 0 bps Input packets: 0 0 pps Output packets: 0 0 pps
Hi, That being the case, I would leave that config in there. This is not service impacting. You may also want to check statistics on the gr interface - show interfaces gr-0/0/0 extensive Regards, Vikas