SRX100 system too slow AND ipsec VPN with errrors.
monchito last edited by
Hi all, this srx100 get too slow, it see it in ssh connection and doing ping to internet.
The user complian when have to connect to vpn, i thinks that is fail because of the slow system.
VPN logs (kmd-logs)
64.64.226] Apr 4 17:39:24 srx100 kmd: IKE Phase-1 Failure: ISAKMP negotiation retry limit reached [spi=^L^FM-^HW�*v�6�^OOfM-^QcM-^_, src_ip=<none>, dst_ip=x.x.x.x] Apr 4 17:39:24 srx100 kmd: IKE Phase-2 Failure: IKE Phase-2 negotiation retry limit reached [spi=fcad3ff9, src_ip=y.y.y.y, dst_ip=x.x.x.x] Apr 4 17:39:24 srx100 kmd: IKE Phase-2: Negotiations failed. Local gateway: x.x.x.x, Remote gateway: x.x.x.x</none>
root@srx100% df -h
Filesystem Size Used Avail Capacity Mounted on
/dev/da0s2a 293M 138M 132M 51% /
devfs 1.0K 1.0K 0B 100% /dev
/dev/md0 368M 368M 0B 100% /junos
/cf 293M 138M 132M 51% /junos/cf
devfs 1.0K 1.0K 0B 100% /junos/dev/
procfs 4.0K 4.0K 0B 100% /proc
/dev/bo0s3e 24M 46K 22M 0% /config
/dev/bo0s3f 342M 10M 305M 3% /cf/var
/dev/md1 84M 15M 62M 20% /mfs
/cf/var/jail 342M 10M 305M 3% /jail/var
/cf/var/log 342M 10M 305M 3% /jail/var/log
devfs 1.0K 1.0K 0B 100% /jail/dev
/dev/md2 1.8M 116K 1.6M 7% /jail/mfs
i see flowd_octeon too high
PID USERNAME THR PRI NICE SIZE RES STATE C TIME WCPU COMMAND
1265 root 4 76 0 199M 37108K select 0 276:57 118.75% flowd_octeon
1251 root 1 139 0 3288K 2052K RUN 0 144:52 57.86% ntpd
1002 root 1 76 0 12608K 4376K select 0 0:57 0.00% eventd
1289 root 1 76 0 12296K 5396K select 0 0:53 0.00% license-check
1301 nobody 6 81 0 28056K 15112K ucondt 0 0:48 0.00% httpd
1254 root 1 76 0 27784K 9456K select 0 0:40 0.00% mib2d
1256 root 1 76 0 20212K 7812K select 0 0:37 0.00% l2ald
1275 root 1 76 0 15532K 3084K select 0 0:27 0.00% shm-rtsdbd
**show chassis routing-engine**
Routing Engine status:
Temperature 52 degrees C / 125 degrees F
Total memory 512 MB Max 415 MB used ( 81 percent)
Control plane memory 336 MB Max 316 MB used ( 94 percent)
Data plane memory 176 MB Max 100 MB used ( 57 percent)
User 23 percent
Background 0 percent
Kernel 76 percent
Interrupt 1 percent
Idle 0 percent
Serial ID AT0610AF0162
Start time 2017-04-04 14:48:46 ART
Uptime 3 hours, 52 minutes, 1 second
Last reboot reason 0x1:power cycle/failure
Load averages: 1 minute 5 minute 15 minute
2.18 2.11 2.04
What you think? there is a resource problem? How can i solved it? Thanks! Monchito**
glm07 last edited by
Previous reply from josh is valid, and it is a recommendation to always have tcp mss value set on BOTH VPN peers however it has nothing to do with slowness “doing ping to Internet”.
Flowd running “High” is completely normal and you do not need to worry about it is the daemon in charge of all traffic processing on the device, it is completely expected. What I do see running High is ntpd, you can try by restarting that process from shell (let me know if you do not know how to do it).
Finally, there is a big problem with CPU utilization on the Control Plane (RE), Idle percentage on 0 is definitely the cause of the slowness.
Please attach the output of the following commands:
show | display set | match traceoptions
show | display set | match sampling
show | display set | match session-init
show | display set | match session-close
If you can also attach the config would be nice.
joshua.tres last edited by
What kind of phase 2 encryption are you using?
Did you check the tcp-mss settings?