Author Topic: SRX100 system too slow AND ipsec VPN with errrors.  (Read 688 times)

monchito

  • Newbie
  • *
  • Posts: 1
  • Karma: +0/-0
    • View Profile
SRX100 system too slow AND ipsec VPN with errrors.
« on: April 04, 2017, 04:46:53 pm »

  Hi all, this srx100 get too slow, it see it in ssh connection and doing ping to internet.

The user complian when have to connect to vpn, i thinks that is fail because of the slow system.

VPN logs (kmd-logs)
Code: [Select]
64.64.226]
Apr  4 17:39:24  srx100 kmd[2207]: IKE Phase-1 Failure: ISAKMP negotiation retry limit reached [spi=^L^FM-^HW�*v�6�^OOfM-^QcM-^_, src_ip=<none>, dst_ip=x.x.x.x]
Apr  4 17:39:24  srx100 kmd[2207]: IKE Phase-2 Failure: IKE Phase-2 negotiation retry limit reached [spi=fcad3ff9, src_ip=y.y.y.y, dst_ip=x.x.x.x]
Apr  4 17:39:24  srx100 kmd[2207]: IKE Phase-2: Negotiations failed. Local gateway: x.x.x.x, Remote gateway: x.x.x.x

Code: [Select]
root@srx100% df -h[/b]
Filesystem      Size    Used   Avail Capacity  Mounted on
/dev/da0s2a     293M    138M    132M    51%    /
devfs           1.0K    1.0K      0B   100%    /dev
/dev/md0        368M    368M      0B   100%    /junos
/cf             293M    138M    132M    51%    /junos/cf
devfs           1.0K    1.0K      0B   100%    /junos/dev/
procfs          4.0K    4.0K      0B   100%    /proc
/dev/bo0s3e      24M     46K     22M     0%    /config
/dev/bo0s3f     342M     10M    305M     3%    /cf/var
/dev/md1         84M     15M     62M    20%    /mfs
/cf/var/jail    342M     10M    305M     3%    /jail/var
/cf/var/log     342M     10M    305M     3%    /jail/var/log
devfs           1.0K    1.0K      0B   100%    /jail/dev
/dev/md2        1.8M    116K    1.6M     7%    /jail/mfs

i see flowd_octeon too high
Code: [Select]
  PID USERNAME  THR PRI NICE   SIZE    RES STATE  C   TIME   WCPU COMMAND
 1265 root        4  76    0   199M 37108K select 0 276:57 118.75% flowd_octeon
 1251 root        1 139    0  3288K  2052K RUN    0 144:52 57.86% ntpd
 1002 root        1  76    0 12608K  4376K select 0   0:57  0.00% eventd
 1289 root        1  76    0 12296K  5396K select 0   0:53  0.00% license-check
 1301 nobody      6  81    0 28056K 15112K ucondt 0   0:48  0.00% httpd
 1254 root        1  76    0 27784K  9456K select 0   0:40  0.00% mib2d
 1256 root        1  76    0 20212K  7812K select 0   0:37  0.00% l2ald
 1275 root        1  76    0 15532K  3084K select 0   0:27  0.00% shm-rtsdbd

show chassis routing-engine
Code: [Select]
Routing Engine status:
    Temperature                 52 degrees C / 125 degrees F
    Total memory               512 MB Max   415 MB used ( 81 percent)
      Control plane memory     336 MB Max   316 MB used ( 94 percent)
      Data plane memory        176 MB Max   100 MB used ( 57 percent)
    CPU utilization:
      User                      23 percent
      Background                 0 percent
      Kernel                    76 percent
      Interrupt                  1 percent
      Idle                       0 percent
    Model                          RE-SRX100B
    Serial ID                      AT0610AF0162
    Start time                     2017-04-04 14:48:46 ART
    Uptime                         3 hours, 52 minutes, 1 second
    Last reboot reason             0x1:power cycle/failure
    Load averages:                 1 minute   5 minute  15 minute
                                       2.18       2.11       2.04


What you think? there is a resource problem? How can i solved it?
Thanks!
Monchito

joshua.tres

  • Newbie
  • *
  • Posts: 6
  • Karma: +0/-0
    • View Profile
Re: SRX100 system too slow AND ipsec VPN with errrors.
« Reply #1 on: April 15, 2017, 03:49:03 pm »
What kind of phase 2 encryption are you using?
Did you check the tcp-mss settings?
 https://kb.juniper.net/InfoCenter/index?page=content&id=KB30688&pmv=print&actp=LIST

BR Josh

glm07

  • Newbie
  • *
  • Posts: 6
  • Karma: +0/-0
    • View Profile
Re: SRX100 system too slow AND ipsec VPN with errrors.
« Reply #2 on: September 09, 2017, 08:05:28 pm »
Hi monchito,

Previous reply from josh is valid, and it is a recommendation to always have tcp mss value set on BOTH VPN peers however it has nothing to do with slowness "doing ping to Internet".

Flowd running "High" is completely normal and you do not need to worry about it is the daemon in charge of all traffic processing on the device, it is completely expected. What I do see running High is ntpd, you can try by restarting that process from shell (let me know if you do not know how to do it).

Finally, there is a big problem with CPU utilization on the Control Plane (RE), Idle percentage on 0 is definitely the cause of the slowness.

Please attach the output of the following commands:
# show | display set | match traceoptions
# show | display set | match sampling
# show | display set | match session-init
# show | display set | match session-close

If you can also attach the config would be nice.

BR.