SRX Services Gateway
Highlighted
SRX Services Gateway

slow response of APP

‎05-07-2019 01:24 PM

Hello,

Few days back, we have been reported by our branch staff that Business APP is running very slow mostly the page turns white without showing/loading the data. We have checked WAN connectivity on our ISP side and found no issues (delay/packet loss and other degradation). Meanwhile someone (branch staff) run continous ping (on a branch desktop PC) to remote IP (remote trust IP) and then Business APP reposnds well. The same procedure is now following by other branches, they must run a continous ping on a branch PC and the APP response is normal. 

We have a Switch Juniper EX-2300 and firewall SRX320 in the branches. IPSec route based VPN's are bieng used. 

We are not figouring out as what cuased this problem and why APP response is fine upon continous ping?

 

11 REPLIES 11
Highlighted
SRX Services Gateway

Re: slow response of APP

‎05-07-2019 10:10 PM

 Can you share your VPN config? Is it always UP or Up on traffic config?

Thanks,
Suraj
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too
Highlighted
SRX Services Gateway

Re: slow response of APP

‎05-07-2019 10:26 PM

VPN config given below

 

vpn VPN-PRI-NTC {
bind-interface st0.2;
vpn-monitor {
optimized;
}
ike {
gateway IKE-GW-PRI-NTC;
proxy-identity {
local 10.3.9.0/24;
remote 192.168.100.0/24;
service any;
}
ipsec-policy Branches-Policy-withlifetime;
}
}
vpn VPN-BCK-NTC {
bind-interface st0.3;
ike {
gateway IKE-GW-BCK-NTC;
proxy-identity {
local 10.3.9.0/24;
remote 192.168.100.0/24;
service any;
}
ipsec-policy IPSEC-POLICY-VPN-CORE;
}
}
}

Highlighted
SRX Services Gateway

Re: slow response of APP

‎05-07-2019 10:34 PM
set security ipsec vpn VPN-PRI-NTC establish-tunnels immediately

set security ipsec vpn VPN-BCK-NTC establish-tunnels immediately

Please add these on respective sides to keep the tunnels active all the time and check the behaviour.
Thanks,
Suraj
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too
Highlighted
SRX Services Gateway

Re: slow response of APP

‎05-07-2019 11:24 PM

I have executed the config, but still slow and fine upon continous ping. Is there anything relating to TCP-mss?

 

Config on both sides pasted below

 

Datacentre side settings
-----------------------------------

set security ike gateway F-10-GW ike-policy SSG-IKE-Policy
set security ike gateway F-10-GW address 10.xx.xx.x
set security ike gateway F-10-GW external-interface reth0.0
set security ipsec vpn F-10 bind-interface st0.5
set security ipsec vpn F-10 ike gateway F-10-GW
set security ipsec vpn F-10 ike ipsec-policy SSG-IPSEC-Policy
set security ipsec vpn F-10 traffic-selector F-10 local-ip 192.x.x.0/24
set security ipsec vpn F-10 traffic-selector F-10 remote-ip 10.x.x.0/24
set security ipsec vpn F-10 establish-tunnels immediately


Branch side settings
------------------------------------


set security ipsec vpn VPN-PRI-NTC bind-interface st0.2
set security ipsec vpn VPN-PRI-NTC vpn-monitor optimized
set security ipsec vpn VPN-PRI-NTC ike gateway IKE-GW-PRI-NTC
set security ipsec vpn VPN-PRI-NTC ike proxy-identity local 10.x.x.0/24
set security ipsec vpn VPN-PRI-NTC ike proxy-identity remote 192.x.x.0/24
set security ipsec vpn VPN-PRI-NTC ike proxy-identity service any
set security ipsec vpn VPN-PRI-NTC ike ipsec-policy Branches-Policy-withlifetime
set security ipsec vpn VPN-PRI-NTC establish-tunnels immediately
set security ipsec vpn VPN-BCK-NTC bind-interface st0.3
set security ipsec vpn VPN-BCK-NTC ike gateway IKE-GW-BCK-NTC
set security ipsec vpn VPN-BCK-NTC ike proxy-identity local 10.x.x.0/24
set security ipsec vpn VPN-BCK-NTC ike proxy-identity remote 192.x.x.0/24
set security ipsec vpn VPN-BCK-NTC ike proxy-identity service any
set security ipsec vpn VPN-BCK-NTC ike ipsec-policy IPSEC-POLICY-VPN-CORE
set security ipsec vpn VPN-BCK-NTC establish-tunnels immediately

Highlighted
SRX Services Gateway

Re: slow response of APP

‎05-07-2019 11:28 PM
set security flow tcp-mss ipsec-vpn mss 1250 , you can try configure this on both sides and check. Not sure how TCP MSS is related to ICMP ping.
Thanks,
Suraj
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too
Highlighted
SRX Services Gateway

Re: slow response of APP

‎05-08-2019 12:38 AM

Checked with 1250 mss but still problem persists.

What's the default value being used as tcp-mss on ipsec? and how to view the default value? Moreover what's the juniper recommended tcp-mss value ?

What's the afect of mss Inreasing or decreasing ?

Highlighted
SRX Services Gateway

Re: slow response of APP

‎05-15-2019 01:03 PM

Hello experts,

Please respond.

Highlighted
SRX Services Gateway

Re: slow response of APP

‎05-16-2019 01:42 AM

Hi,

 

QUE :- What's the default value being used as tcp-mss on ipsec?

Juniper:- There is no default value that is defined explicitky for IPSEC traffic. It uses the ethernet default set.

 

QUE:- and how to view the default value?

Juniper:- NA

 

Moreover what's the juniper recommended tcp-mss value ?

Juniper :- Juniper cannot explicitly define one tcp-mss value for IPSEC as the value is dependent upon network to network.

 

What's the afect of mss Inreasing or decreasing ?

Juniper :- This is a Gud Que

For Example :- MTU of the egress interface is 1500.

Generic defination for MSS for generic traffic is 1500 - (TCP+IP header)

Likewise for IPSEC it would be  1500 - (TCP+IP +ESP)

 

Further, decreasing MSS to very low lets say 1000 would result into more no of packets being generated by the source. Hence Overhead.

increasing the MSS to lets say 1460 for ESP traffic would mean ESP packets being fragmented. Hence Overhead.

 

Regards,

 

Rahul

Regards,
Rahul
Highlighted
SRX Services Gateway

Re: slow response of APP

‎05-16-2019 01:50 AM

Hello,

 

Looking at the problem symptom and the troubleshooting done with respect to TCP-MSS it is clear that the problem is not with fragmentation.

 

It is indeed strange, why the application would behave differently with or without ping to it. A packet capture from client and server side with and without ping would be ideal to troubleshoot the problem. I do not believe given the symptoms, that this is an issue with the firewall/vpn setup.

 

I am assuming this is the only application impacted.

 

Regards,

 

Vikas

Highlighted
SRX Services Gateway

Re: slow response of APP

‎05-16-2019 01:53 AM

Hi,

 

Further to talk about your issue:-

1. User sends continous ping to the destination APP host and then the APP works fine.

  Juniper :- This is wiered, You mention every location to see similar state. Kindly confirm if we see similar issue with the APP host without accessing the same via VPN?

 

2. SRX300 is on the branch side.

 Juniper:- Do we have SRX on the hub site too ? Since traffic for the APP would be from APP host side towards the branch, hence if this has any thing to do with fragmentation it would be on the hub side.

 

Regards,

 

Rahul

Juniper

Regards,
Rahul
Highlighted
SRX Services Gateway

Re: slow response of APP

‎05-17-2019 01:26 PM

1. Not all branches are experiencing the same issue but few in number.

2. Branches used URL for APP which is resolved by DNS

2. APP is on a Server (at DataCentre) which is behind NATted IP as per below scenario

 

Branch side SRX320-------------------------> DataCentre side SRX1500

Branch side VPN  local ip 10.3.xx.xx  remote ip 192.168.xx.xx

Destination NAT used on DC side SRX1500

10.3.xx.xx --------->192.168.xx.xx -------NAT to pool  10.40.xx.xx-