Solved

Traffic Across Juniper Router So SLOW!

Posted on 2012-04-02
8
1,642 Views
Last Modified: 2013-05-13
The graphic attached does a good job of explaining my issue.  We have a Juniper SSG5 router segregating our networks, but occasionally we need to copy files from Zone 3 to Zone 1 (our main Trust Zone) -- See the graphic to tell where the zones are.  Notice the Trust Zone is 3 Ethernet ports configured as a "BGroup" or "Bridge Group" which is Juniper-speak for them acting like a Layer 2 switch.  When we attempt this copy, it consistently copies across around 64Kbps, which is extremely slow.  We have a mixed switch environment, but I narrowed the issue down to the Juniper by using two laptops as shown in the image; When both are on ports in the same BGroup0, file copies fly.  But when the only thing I change is moving one laptop to the last port my speed drops drastically.

We have no traffic shaping of any kind set.  The only firewall policies are to let any service travel between the two zones (e.g. Permit ANY ANY).  The zones are part of the same virtual router, so the one big difference between file copies is that traffic is fast when it's only switched, but when it's slow it's actually being routed, and they are on different subnets [192.168.16.x vs 10.2.2.x].  But it shouldn't be that slow!

I'm not sure what else to let you know; I've scoured the Juniper web config and almost anything to do with traffic shaping or priority or Class-Of-Service is all disabled.  I tested enabling it and raising priority for Zone 3 traffic but it didn't help at all.  This is driving me crazy.  Any helpful suggestions are appreciated.

EDIT: Also, I've tried with the Juniper port settings at Auto-Negotiate and also manually at 100Mb/Full-Duplex, but neither had an effect.

Description of Juniper networking issue
0
Comment
Question by:netjon
8 Comments
 
LVL 18

Expert Comment

by:Sanga Collins
ID: 37799276
Its a long shot, but have you tried removing eth0/4 from bg0, and instead making that zone 3, then making eth0/6 part of bg0? there might be a problem with the port. It rare, but not unheard of.
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 37799281
It should not be that slow.

Post sanitized config of your zone, interfaces and security configuration.

Thank you.
0
 

Author Comment

by:netjon
ID: 37803299
I made a new Broadcast Group, BGroup1, and assigned it ports Eth0/4 (taken away from BGroup0) and Eth0/6.  I assigned BGroup1 to Zone 3.  So now it had the same settings, but using a different physical port, and traffic still goes through at 64Kbps.  So that wasn't it.

I am now attaching my config file.  By "sanitized" I assume you mean cleaning it up to not reveal my WAN IPs and open ports, which is smart.  I replaced my WAN's 1st three octets with "1.2.3" and domain with "example.com," among other fixes.

EDIT: Updated the config file.  The one I posted originally was the saved config, not the current running config with recent changes.
Juniper-cfg.txt
0
Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

 
LVL 32

Expert Comment

by:dpk_wal
ID: 37804473
There is no screen options; zone/policy configuration, interface specific or NAT configuration which would bring the speed down this much.

From configuration point of view things look fine.

I would suggest you to contact JTAC as they would be able to troubleshoot live on the box and possibly come up with a reason for slow speed.

Thank you.
0
 
LVL 17

Expert Comment

by:TimotiSt
ID: 37835359
The config file starts to look a bit messy to me. It refers to BGroup2, which does not exist, and you have PMTU discovery enabled on a BGroup port...
Do you run the latest-greatest Screenos version? Any reference to this kind of problem in the release notes?

Tamas
0
 

Accepted Solution

by:
netjon earned 0 total points
ID: 37842806
We had upgraded the ScreenOS to the latest firmware, and even tried a replacement Juniper of the same model, and it didn't work.

However, what DID work, for some strange reason, was assigning a static IP route to the computer in Zone 3 along the lines of:  

ROUTE ADD 192.168.0.0 MASK 255.255.0.0 10.2.2.1 METRIC 2 

Open in new window


I had to explicitly tell the PC that the 192.168.x.x subnets were through the Juniper, even though it already had a default route set to go there anyway for all addresses that weren't 10.2.2.x.

And it's also strange because we know it found the destination PC before, and even established a TCP connection, it just copied over at a much slower speed than it should have for some reason.

I'm guessing this is a Windows Networking quirk?  Because it doesn't make sense from a Layer 3 Networking perspective.

Hopefully this answer helps someone in the future.
0
 

Author Closing Comment

by:netjon
ID: 37859687
I stumbled upon the solution myself, although I'd still enjoy hearing an explanation from an expert on WHY it worked.
0
 

Author Comment

by:netjon
ID: 39161798
A year later, after reviving my EE account, I find my old thread.  My future self will now provide the enlightened response my past self desperately needed:

LOOK AT THE GATEWAY IP'S YOU MORON!  Also, you should lose some weight!

The Router gateway was 10.2.2.7, not 10.2.2.1.  10.2.2.1 is the IP of the top-most switch in the 10.2.x.x network.  Before I worked here, people were assigning out 10.2.2.1 as the default gateway for many devices on that network.  I did not pick up on that mistake before.

P.S. I did lose a bunch of weight since last year.  :)
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco Switch VLAN voice and Data 2 48
Unidentified Network 12 59
Why isn't my network passing a certain vlan. 24 48
hsrp tracking 2 12
Short answer to this question: there is no effective WiFi manager in iOS devices as seen in Windows WiFi or Macbook OSx WiFi management, but this article will try and provide some amicable solutions to better suite your needs.
Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question