SRX100 system too slow AND ipsec VPN with errrors.



  • Hi all, this srx100 get too slow, it see it in ssh connection and doing ping to internet.

    The user complian when have to connect to vpn, i thinks that is fail because of the slow system.

    VPN logs (kmd-logs)

    64.64.226]
    Apr  4 17:39:24  srx100 kmd[2207]: IKE Phase-1 Failure: ISAKMP negotiation retry limit reached [spi=^L^FM-^HW�*v�6�^OOfM-^QcM-^_, src_ip=<none>, dst_ip=x.x.x.x]
    Apr  4 17:39:24  srx100 kmd[2207]: IKE Phase-2 Failure: IKE Phase-2 negotiation retry limit reached [spi=fcad3ff9, src_ip=y.y.y.y, dst_ip=x.x.x.x]
    Apr  4 17:39:24  srx100 kmd[2207]: IKE Phase-2: Negotiations failed. Local gateway: x.x.x.x, Remote gateway: x.x.x.x</none>
    

    **```
    root@srx100% df -h
    Filesystem      Size    Used  Avail Capacity  Mounted on
    /dev/da0s2a    293M    138M    132M    51%    /
    devfs          1.0K    1.0K      0B  100%    /dev
    /dev/md0        368M    368M      0B  100%    /junos
    /cf            293M    138M    132M    51%    /junos/cf
    devfs          1.0K    1.0K      0B  100%    /junos/dev/
    procfs          4.0K    4.0K      0B  100%    /proc
    /dev/bo0s3e      24M    46K    22M    0%    /config
    /dev/bo0s3f    342M    10M    305M    3%    /cf/var
    /dev/md1        84M    15M    62M    20%    /mfs
    /cf/var/jail    342M    10M    305M    3%    /jail/var
    /cf/var/log    342M    10M    305M    3%    /jail/var/log
    devfs          1.0K    1.0K      0B  100%    /jail/dev
    /dev/md2        1.8M    116K    1.6M    7%    /jail/mfs

    
    i see flowd_octeon too high
    

    PID USERNAME  THR PRI NICE  SIZE    RES STATE  C  TIME  WCPU COMMAND
    1265 root        4  76    0  199M 37108K select 0 276:57 118.75% flowd_octeon
    1251 root        1 139    0  3288K  2052K RUN    0 144:52 57.86% ntpd
    1002 root        1  76    0 12608K  4376K select 0  0:57  0.00% eventd
    1289 root        1  76    0 12296K  5396K select 0  0:53  0.00% license-check
    1301 nobody      6  81    0 28056K 15112K ucondt 0  0:48  0.00% httpd
    1254 root        1  76    0 27784K  9456K select 0  0:40  0.00% mib2d
    1256 root        1  76    0 20212K  7812K select 0  0:37  0.00% l2ald
    1275 root        1  76    0 15532K  3084K select 0  0:27  0.00% shm-rtsdbd

    
    **show chassis routing-engine**
    

    Routing Engine status:
        Temperature                52 degrees C / 125 degrees F
        Total memory              512 MB Max  415 MB used ( 81 percent)
          Control plane memory    336 MB Max  316 MB used ( 94 percent)
          Data plane memory        176 MB Max  100 MB used ( 57 percent)
        CPU utilization:
          User                      23 percent
          Background                0 percent
          Kernel                    76 percent
          Interrupt                  1 percent
          Idle                      0 percent
        Model                          RE-SRX100B
        Serial ID                      AT0610AF0162
        Start time                    2017-04-04 14:48:46 ART
        Uptime                        3 hours, 52 minutes, 1 second
        Last reboot reason            0x1:power cycle/failure
        Load averages:                1 minute  5 minute  15 minute
                                          2.18      2.11      2.04

    
    What you think? there is a resource problem? How can i solved it?
    Thanks!
    Monchito**


  • Hi monchito,

    Previous reply from josh is valid, and it is a recommendation to always have tcp mss value set on BOTH VPN peers however it has nothing to do with slowness “doing ping to Internet”.

    Flowd running “High” is completely normal and you do not need to worry about it is the daemon in charge of all traffic processing on the device, it is completely expected. What I do see running High is ntpd, you can try by restarting that process from shell (let me know if you do not know how to do it).

    Finally, there is a big problem with CPU utilization on the Control Plane (RE), Idle percentage on 0 is definitely the cause of the slowness.

    Please attach the output of the following commands:

    show | display set | match traceoptions

    show | display set | match sampling

    show | display set | match session-init

    show | display set | match session-close

    If you can also attach the config would be nice.

    BR.



  • What kind of phase 2 encryption are you using?
    Did you check the tcp-mss settings?
    https://kb.juniper.net/InfoCenter/index?page=content&id=KB30688&pmv=print&actp=LIST

    BR Josh


 

24
Online

38.4k
Users

12.7k
Topics

44.5k
Posts