Netscreen-50 Actual Throughput

We're running a Netscreen-50 Advanced with 5.4.0r13.0 firmware.  According to Juniper's datasheet, the "Firewall performance" is listed as 170 Mbps with "3DES + SHA1 performance" of 45 Mbps (which I'm assuming is VPN).

In our environment running 1:1 NAT, we cannot get more than about 40-45 Mbps throughput for standard (non-VPN) traffic.  So we built a lab network to experiment.

In the lab we tested 2 machines, as follows:

First we directly connected each machine's Fast-E interface to a switch, and addressed both hosts in the subnet.  (directly connected network)  FTP was used for transfers.  Speed tests show data transfers sustained at nearly 95 Mbps between them.  This proves the machines are capable of talking at full Fast-E speeds.

Next we put the NS-50 between them to simulate a Trust / Untrust scenario.  One host was put on Netscreen E1 "trust" interface, and the other was put on E4 "untrust".  Proper subnetting was done, a mapped IP (MIP) was created for the server to simulate our production NAT setup, and a policy was created to allow the "untrust" host to access the "trust" host for the specified service.

The NS-50 could not pass traffic any faster than 48 Mbps maximum.  Just 1 host downloading a large binary file from the other via FTP.  CPU of the NS-50 was under 30% during the tests.  I swapped this NS-50 with another spare NS-50, uploaded the config and re-tested.  Same exact result.  Neither NS-50 could achieve any more than upper 40's Mbps.

That is less than 30% of the peformance Juniper claims.  Is this REALLY the upper limit on Netscreen-50 devices?  
Who is Participating?
EcomproAuthor Commented:
Closing due to lack of response.
Very tiny font at the bottom of the Netscreen 50 datasheet:

(1) Performance, capacity and features listed are based upon the Advanced feature set running ScreenOS 5.1.0 and may vary with other ScreenOS releases. The Baseline model licensing option provides a subset of features as described in the table below. Actual throughput for Advanced and Baseline products may vary based upon packet size and enabled features.

Juniper Networks Juniper Networks
NetScreen-25(1) NetScreen-50(1)
Maximum Performance and Capacity(2)
Firewall performance 100 Mbps 170 Mbps
3DES performance 20 Mbps 45 Mbps
Deep Inspection performance 75 Mbps 75 Mbps
Concurrent sessions 32,000 64,000
New sessions/second 4,000 5,000
Policies 500 1,000
Interfaces 4 10/100 Base-T 4 10/100 Base-T
So what features are turned on?
And is your packet size greater than 1500? That might cause some problems
EcomproAuthor Commented:
We're using no features, other than NAT.  

Standard packet size (MTU 1500) over standard Fast Ethernet.
No D.I.
No traffic shaping.
And (in the lab) just 1 rule to allow FTP.

I tested using a very minimally configured device, because I was interested in peak speeds with all the bells and whistles turned OFF.

EcomproAuthor Commented:
With all the Netscreen-25/50 units in production for so many years, I was really hoping there are other users who can comment on their experiences on throughput.

I re-ran the tests again and watched the CPU, which never went over 18%.  So I know the unit is not resource-bound in that regard.

Surely there must be SOME reason why a Netscreen-50 can't get above the 40-Mbps range on a device with a single rule (permit FTP) and a single stream of data coming in one port and exiting the other.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.