Screen OS

Hi All,

i have a problem with my Ns208.  When FTP transfer Occured CPU goes high ( can reach 80 %). but after FTP transfer finish. CPU in normal state.

and from JTAC pre-analysis the problem caused by box capacity which total throuput at that time is 100 Mbps and average packet size is less that 200 byte.

i try to replicate this problem in my lab using NS25 and deploy transparent mode after that i inject ftp traffic 8gb rar file. when ftp occured cpu also goes high.  i also replicate this issue using l3 mode. and cpu also increase but not high as we deploy L2 mode.

is it any different behavior related to FTP traffic when we deploy firewall as L2 and L3 mode. btw could we setting the packet size of the data ?

Thanks

ELkim

Hi

i think its isen't very different betwenn L2 & L3 regarding traffic, usully the l2 is deployed when the administrator need to implementing FW without any change thier setting or network infraéstructure.

you can view chanpter   7 of Docuementation : concept é example screen OS reference guide you can set and manage traffic with policy 

thnaks you 

fahi Mehdi, the fact is like that. CPU also increase but not as much as when we deploy l2. btw what is determine speed of ftp transfer and size of the packet ?

Thanks

Hi,

If possible, I would recommend you try using the built-in traffic shaping feature using a Policy.  For example, you could cap the FTP BW and run some more tests.  This may help prevent the large FTP transfers from chewing up all the resources.

-John

hi John,

thanks fo reply. does if we do traffic shaping the cpu wont increase?. do u have another way to solve this issue ? because i think if we do traffic shaping, cpu will use to shape the traffic. CMIIW

Thanks

Hi

 ELKIM 

 i sent you from my last post you can use traffic shaping  chanpter   7 of Docuementation : concept é example screen OS reference guide.

however may be cause this cpu ethier  screenOs Version  or anoumalouse packet could you try other screen OS recomanded by Juniper ?? 

from version 6.1.0r3 you can protect your CPU section 

Configuration >>>>> CPU Protection.

and I advise you to take contact with suppot.

Hi,

The reason why I think TS will help is because it will reduce the PPS (Packets Per Second) entering your box.  Without shaping, your box is accepting and processing all packets during the transfer.  Since it would be treated as a single session, the switching peive should be handled out of memory and the onboard ASIC.  In my opinion, this is your best option and I don't think it's a risky test.  Give it a go and let me know.

-John

Hmm, actually I think FTP may be triggering the CPU high also partially becos its ALG traffic:

NS208-> get nat registry vector  | i ftp
 1      00621f5c        FTP
29      0060e970        TFTP
NS208->

I think you can try to have 2 specific policies :

NS208-> set pol top from trust to untrust any any FTP permit
policy id = 4
NS208-> set pol id 4 application ignore

NS208-> set pol from trust to untrust any any any permit

Pol 4 will ignore the ALG processing and the nxt policy will permit the dynamic ports.

Take note that you have to have the permit any policy facing the side where the server is starting up the data connection(if you are using active FTP). If its passive then you need to have the policy from where the CLIENT starts up the data connect.

hi WL,

Could you explain me more detail about this command. what do u want show to me, sorry i still dont know.

NS208-> get nat registry vector  | i ftp
 1      00621f5c        FTP
29      0060e970        TFTP
NS208->

for policy i know what u mean .

Thanks

Basically that just shows you what kind ALG you have on the firewall. The cmd is different on later SOS eg 6.0  as we use:

"get alg " to show what ALGsare enabledon the firewall

hi WL,

thx for update. i already set the policy that u suggest. but the cpu still goes high. then i try to set traffic shaping like mehdi and john suggest and the result cpu not quite high,

btw i have another question. i only setup 2 interface with eth3 on v1-untrust and eth4 on v1-trust. i set maximum bandwidth to 5000kbps. and inject only FTP traffic. but why the FTP traffic only takes 1500kbps not 5000kbps ?

thanks

Hi,

Did you set the Traffic Shaping on the Policy or did you set the BW on the interface?

-John

hi John,

i set traffic shaping on policy. set only on max bw field.

 Thanks

OK, I would try to enable "Counting" on the Policy as well.  Then login to the WebUI during a transfer, go to the policy, and hit the hour glass icon.  This should tell you how much Bandwidth is in use through the Firewall for that Policy.

-John

hi John,

thx for info. i would try it tomorrow cause i'm out of office right now. btw do u have messenger like yahoo or msn for quick chat?

i also wanna ask you about traffic shaping 

thanks