Solved

Traffic Across Juniper Router So SLOW!

Posted on 2012-04-02
8
1,554 Views
Last Modified: 2013-05-13
The graphic attached does a good job of explaining my issue.  We have a Juniper SSG5 router segregating our networks, but occasionally we need to copy files from Zone 3 to Zone 1 (our main Trust Zone) -- See the graphic to tell where the zones are.  Notice the Trust Zone is 3 Ethernet ports configured as a "BGroup" or "Bridge Group" which is Juniper-speak for them acting like a Layer 2 switch.  When we attempt this copy, it consistently copies across around 64Kbps, which is extremely slow.  We have a mixed switch environment, but I narrowed the issue down to the Juniper by using two laptops as shown in the image; When both are on ports in the same BGroup0, file copies fly.  But when the only thing I change is moving one laptop to the last port my speed drops drastically.

We have no traffic shaping of any kind set.  The only firewall policies are to let any service travel between the two zones (e.g. Permit ANY ANY).  The zones are part of the same virtual router, so the one big difference between file copies is that traffic is fast when it's only switched, but when it's slow it's actually being routed, and they are on different subnets [192.168.16.x vs 10.2.2.x].  But it shouldn't be that slow!

I'm not sure what else to let you know; I've scoured the Juniper web config and almost anything to do with traffic shaping or priority or Class-Of-Service is all disabled.  I tested enabling it and raising priority for Zone 3 traffic but it didn't help at all.  This is driving me crazy.  Any helpful suggestions are appreciated.

EDIT: Also, I've tried with the Juniper port settings at Auto-Negotiate and also manually at 100Mb/Full-Duplex, but neither had an effect.

Description of Juniper networking issue
0
Comment
Question by:netjon
8 Comments
 
LVL 18

Expert Comment

by:Sanga Collins
Comment Utility
Its a long shot, but have you tried removing eth0/4 from bg0, and instead making that zone 3, then making eth0/6 part of bg0? there might be a problem with the port. It rare, but not unheard of.
0
 
LVL 32

Expert Comment

by:dpk_wal
Comment Utility
It should not be that slow.

Post sanitized config of your zone, interfaces and security configuration.

Thank you.
0
 

Author Comment

by:netjon
Comment Utility
I made a new Broadcast Group, BGroup1, and assigned it ports Eth0/4 (taken away from BGroup0) and Eth0/6.  I assigned BGroup1 to Zone 3.  So now it had the same settings, but using a different physical port, and traffic still goes through at 64Kbps.  So that wasn't it.

I am now attaching my config file.  By "sanitized" I assume you mean cleaning it up to not reveal my WAN IPs and open ports, which is smart.  I replaced my WAN's 1st three octets with "1.2.3" and domain with "example.com," among other fixes.

EDIT: Updated the config file.  The one I posted originally was the saved config, not the current running config with recent changes.
Juniper-cfg.txt
0
 
LVL 32

Expert Comment

by:dpk_wal
Comment Utility
There is no screen options; zone/policy configuration, interface specific or NAT configuration which would bring the speed down this much.

From configuration point of view things look fine.

I would suggest you to contact JTAC as they would be able to troubleshoot live on the box and possibly come up with a reason for slow speed.

Thank you.
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 17

Expert Comment

by:TimotiSt
Comment Utility
The config file starts to look a bit messy to me. It refers to BGroup2, which does not exist, and you have PMTU discovery enabled on a BGroup port...
Do you run the latest-greatest Screenos version? Any reference to this kind of problem in the release notes?

Tamas
0
 

Accepted Solution

by:
netjon earned 0 total points
Comment Utility
We had upgraded the ScreenOS to the latest firmware, and even tried a replacement Juniper of the same model, and it didn't work.

However, what DID work, for some strange reason, was assigning a static IP route to the computer in Zone 3 along the lines of:  

ROUTE ADD 192.168.0.0 MASK 255.255.0.0 10.2.2.1 METRIC 2 

Open in new window


I had to explicitly tell the PC that the 192.168.x.x subnets were through the Juniper, even though it already had a default route set to go there anyway for all addresses that weren't 10.2.2.x.

And it's also strange because we know it found the destination PC before, and even established a TCP connection, it just copied over at a much slower speed than it should have for some reason.

I'm guessing this is a Windows Networking quirk?  Because it doesn't make sense from a Layer 3 Networking perspective.

Hopefully this answer helps someone in the future.
0
 

Author Closing Comment

by:netjon
Comment Utility
I stumbled upon the solution myself, although I'd still enjoy hearing an explanation from an expert on WHY it worked.
0
 

Author Comment

by:netjon
Comment Utility
A year later, after reviving my EE account, I find my old thread.  My future self will now provide the enlightened response my past self desperately needed:

LOOK AT THE GATEWAY IP'S YOU MORON!  Also, you should lose some weight!

The Router gateway was 10.2.2.7, not 10.2.2.1.  10.2.2.1 is the IP of the top-most switch in the 10.2.x.x network.  Before I worked here, people were assigning out 10.2.2.1 as the default gateway for many devices on that network.  I did not pick up on that mistake before.

P.S. I did lose a bunch of weight since last year.  :)
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Nexus OS - OSPF Command 3 28
Nic to NIC 5 43
Network Connection 5 31
Resource cost of NAT vs routing 3 13
In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
Let’s list some of the technologies that enable smooth teleworking. 
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now