Traffic Across Juniper Router So SLOW!

The graphic attached does a good job of explaining my issue.  We have a Juniper SSG5 router segregating our networks, but occasionally we need to copy files from Zone 3 to Zone 1 (our main Trust Zone) -- See the graphic to tell where the zones are.  Notice the Trust Zone is 3 Ethernet ports configured as a "BGroup" or "Bridge Group" which is Juniper-speak for them acting like a Layer 2 switch.  When we attempt this copy, it consistently copies across around 64Kbps, which is extremely slow.  We have a mixed switch environment, but I narrowed the issue down to the Juniper by using two laptops as shown in the image; When both are on ports in the same BGroup0, file copies fly.  But when the only thing I change is moving one laptop to the last port my speed drops drastically.

We have no traffic shaping of any kind set.  The only firewall policies are to let any service travel between the two zones (e.g. Permit ANY ANY).  The zones are part of the same virtual router, so the one big difference between file copies is that traffic is fast when it's only switched, but when it's slow it's actually being routed, and they are on different subnets [192.168.16.x vs 10.2.2.x].  But it shouldn't be that slow!

I'm not sure what else to let you know; I've scoured the Juniper web config and almost anything to do with traffic shaping or priority or Class-Of-Service is all disabled.  I tested enabling it and raising priority for Zone 3 traffic but it didn't help at all.  This is driving me crazy.  Any helpful suggestions are appreciated.

EDIT: Also, I've tried with the Juniper port settings at Auto-Negotiate and also manually at 100Mb/Full-Duplex, but neither had an effect.

Description of Juniper networking issue
netjonAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Sanga CollinsSystems AdminCommented:
Its a long shot, but have you tried removing eth0/4 from bg0, and instead making that zone 3, then making eth0/6 part of bg0? there might be a problem with the port. It rare, but not unheard of.
dpk_walCommented:
It should not be that slow.

Post sanitized config of your zone, interfaces and security configuration.

Thank you.
netjonAuthor Commented:
I made a new Broadcast Group, BGroup1, and assigned it ports Eth0/4 (taken away from BGroup0) and Eth0/6.  I assigned BGroup1 to Zone 3.  So now it had the same settings, but using a different physical port, and traffic still goes through at 64Kbps.  So that wasn't it.

I am now attaching my config file.  By "sanitized" I assume you mean cleaning it up to not reveal my WAN IPs and open ports, which is smart.  I replaced my WAN's 1st three octets with "1.2.3" and domain with "example.com," among other fixes.

EDIT: Updated the config file.  The one I posted originally was the saved config, not the current running config with recent changes.
Juniper-cfg.txt
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

dpk_walCommented:
There is no screen options; zone/policy configuration, interface specific or NAT configuration which would bring the speed down this much.

From configuration point of view things look fine.

I would suggest you to contact JTAC as they would be able to troubleshoot live on the box and possibly come up with a reason for slow speed.

Thank you.
TimotiStDatacenter TechnicianCommented:
The config file starts to look a bit messy to me. It refers to BGroup2, which does not exist, and you have PMTU discovery enabled on a BGroup port...
Do you run the latest-greatest Screenos version? Any reference to this kind of problem in the release notes?

Tamas
netjonAuthor Commented:
We had upgraded the ScreenOS to the latest firmware, and even tried a replacement Juniper of the same model, and it didn't work.

However, what DID work, for some strange reason, was assigning a static IP route to the computer in Zone 3 along the lines of:  

ROUTE ADD 192.168.0.0 MASK 255.255.0.0 10.2.2.1 METRIC 2 

Open in new window


I had to explicitly tell the PC that the 192.168.x.x subnets were through the Juniper, even though it already had a default route set to go there anyway for all addresses that weren't 10.2.2.x.

And it's also strange because we know it found the destination PC before, and even established a TCP connection, it just copied over at a much slower speed than it should have for some reason.

I'm guessing this is a Windows Networking quirk?  Because it doesn't make sense from a Layer 3 Networking perspective.

Hopefully this answer helps someone in the future.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
netjonAuthor Commented:
I stumbled upon the solution myself, although I'd still enjoy hearing an explanation from an expert on WHY it worked.
netjonAuthor Commented:
A year later, after reviving my EE account, I find my old thread.  My future self will now provide the enlightened response my past self desperately needed:

LOOK AT THE GATEWAY IP'S YOU MORON!  Also, you should lose some weight!

The Router gateway was 10.2.2.7, not 10.2.2.1.  10.2.2.1 is the IP of the top-most switch in the 10.2.x.x network.  Before I worked here, people were assigning out 10.2.2.1 as the default gateway for many devices on that network.  I did not pick up on that mistake before.

P.S. I did lose a bunch of weight since last year.  :)
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking

From novice to tech pro — start learning today.