SRX packet limit

We are facing with an issue of after 500K pps SRX3600 start to give answers so late or dropping all packets
we need to find a few things
 
1. How should we see the pps capacity of current configuration
2. how should we detect if we reached the pps limits
3. What is the limit of pps of 40 byte packets with 1 spc and 1 npc
 
King regards
FireBallITAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

harbor235Commented:
The SRC3600 is very capable, but, in general any firewall will have problems with relatively small packet sizes and connections per second, with these conditions performance goes way down.

Looks like the SRX3600 can only do 6Mbps of 64byte packets.

http://www.networkscreen.com/SRX3600.asp   (check specification tab)

http://www.juniper.net/us/en/local/pdf/datasheets/1000267-en.pdf

Does your network design include a router out front?  sounds like you are being DOS/DDOS'd

harbor235 -}
0
FireBallITAuthor Commented:
yes but we do not have capability of dropping based on packetlength.
does pps about the SPC or NPC ?
0
harbor235Commented:
Have you captured any packets? single source, multi source? IP address? udp, tcp, etc ...

Do you have a router in front of the SRX? You need to filter the packets via firewall filter before the SRX if possible.

You seen this:
http://www.juniper.net/techpubs/en_US/junos12.3/topics/example/routing-stateless-firewall-filter-security-protect-against-tcp-and-icmp-flood-configuring.html

harbor235 ;}
0
Defend Against the Q2 Top Security Threats

Were you aware that overall malware worldwide was down a surprising 42% from Q1'18? Every quarter, the WatchGuard Threat Lab releases an Internet Security Report that analyzes the top threat trends impacting companies worldwide. Learn more by viewing our on-demand webinar today!

FireBallITAuthor Commented:
Multi source - UDP - 38 byte - 112 TTL ....etc.
but the main problem is that how should we overcome this issue with firewall what do we need for it ?

Some type of attacks like ACK does not pass into policier or TTP protocols NTP protocol etc.
0
harbor235Commented:
Well for now block the attack that is happening, then use flow data to get a good picture of other attacks then refine your filters, continually monitor and update. Does your ISP have DDOS mitigation capabilities?

How many sources?

Do you have S/RTBH or FLOWSPEC available to drop packets in hardware before they are processed by the SRX?

Do you have a router in front of the SRX?

Are all packets ttl 112? you should be able to filter on that via a fw filter?

harbor235 ;}
0
FireBallITAuthor Commented:
main problem is SRX is nota able to any more packets while if we drop packets with filter rule
ack attacks does not create sessions
so session is not a problem
spc and npc cpu are very normal it is about %50
but any ioc does not accept any more packet after 550K pps
0
harbor235Commented:
You have been having problems for some time, I remember your other posts. Honestly it sounds like you need to get someone in there that can implement site protection/security best practices for you.


There is allot you can do, but it sounds like you have not implemented any of the other suggestions from previous posts.


I hope it all works out for you,

harbor235 ;}
0
FireBallITAuthor Commented:
https://www.youtube.com/watch?v=eEgFkBGh-Bs
https://www.youtube.com/watch?v=o6yZLtPhs20


check out this videos please. There is sth. really wrong. I have asked and applied what people say.
0
giltjrCommented:
Once again, the specs on the box are for a "fully" loaded box, that means 3 NPC's and 7 SPC, and taffic evenly loaded across multiple line cards that are distributed evenly across the NPC's and SPC's.

You have 1 NPC and 1 SPC.  Therefore you are never going to get close to the documented specs.

Have got your Juniper support contract issue cleared up?  Have you got Juniper involved yet?
0
FireBallITAuthor Commented:
yes dear giltjtr but as far as you know one one ioc can bind to only one npc , multiple iocs can bind to one npc but in our situation for every 200 mbit we need to balance traffic to an npc if it is not enough :) so this is so silly. i do not think npc is the problem
at the other side SPC cpu never come up to 70% so where is the problem i only look for this ?

in datasheets it says 15Gbps small packet firewall capacity ?? it is 70 times bigger then our tests :)  is this a full box or full cluster values :)
0
harbor235Commented:
Like I stated earlier, there are several things that can take down any firewall
            high connections per second - and they do not have to be complete sessions, could be just syns
            high small packets per second - as you can see it does not take much

That's why I keep asking if there is a router fronting this SRX, the way you are testing the SRX is not real
world. Static filters, BCP 84, spoofing filters, RFC1918 filters on the router, ...... and a sound network design that does not allow any outside source to direct packets directly to a network device, through yes, not to.

If all you are trying to do is stop DOS/DDOS then a firewall is not your best friend.

harbor235 ;}
0
FireBallITAuthor Commented:
dear harbor you are right but if you know perl it is very easy to build custom script
like
change packet size
change protocol
let the ip spoof or flood from udp
...etc.

so we actually want to block all packets except custom signatures . For example junos: teamspeak , teamspeak ip will only accept ts application headers so any other protocol packet etc will not be accepted.

I should block anormal sizes on router 58 byte udp 80 byte tcp and etc.

but i can not accept that. What is overfilling ?

Throughput ?
NPC  ?
SPC ?
Router engine ?
Session ?
....etc.

so we will design our network if NPC overfilling we need to balance the attack traffics to iocs.
if spc over filling we will design to block processes and try to get heavy blocks on to router.

no body giving me an answer what is the problem . every body talking about

it is fully covered device values
talk to jtac
...etc.


I only want to know what is the problem with this attack every thing seems fine. I could not say anything

SPC cpu is normal
NPC cpu is normal but strangely all IOCs dropping packets.
Flows are under the limits for 1 spc
Routing engine is normal

on freebsd side it seems no dropped packet, no error on interfaces

where do i need to look for solution  ? what is the problem ? i only ask that.

If it is a throughput issue how should i check  ? and what i need to improve ?

question so easy
0
giltjrCommented:
@ harbor235

The problem he has reported in the other dozen or so questions about SRX this the attack is a UDP flood attack.  And as he has posted here, 500K pps.  If I remember right started off with the SRX basically stopping all processing with under 100K pps.  After implementing some (maybe all) of the recommendations he is now having problem once he gets to 500K pps.  Which if I remember right based on the NPC/SPC specs is about the best he can get with one of each.

@Cahit Eyigunlu

You are correct, a single IOC can only talk to one NPC.  Multiple IOC, can be bonded to a single NPC.   The NPC will forward traffic as required to a SPC for processing.

--> "in datasheets it says 15Gbps small packet firewall capacity ?? it is 70 times bigger then our tests :)  is this a full box or full cluster values :) "

That is a single  fully loaded SRX3600, meaning 3 NPC's and 7 SPC's.   IIRC  the physical connection paths are:

      IOCs <--- 10 Gbps ---> NPC <--- 10 Gbps --- > SPC

Since you can only have 3 NPC's you are limited to 30 Gbps of firewall throughput.    The NPC and SPC do different processing.  I believe that SOME filtering is done in the NPC, but the firewall and IDP processing is done in the SPC.   When you have a single SPC, you don't get the "full" performance because there is other processing done by the SPC.  If you have 2 SPC's I believe you get the full use of the 2nd SPC.

Again, although there are quite a few people on EE that can help, Juniper support is the place that can help you the most.  That is why you get support contracts.
0
FireBallITAuthor Commented:
dear giltjr i have send you a private message  please just check
./ack112 192.168.1.95 80

i am not aware of why it is dropping packets while datashets bla bla bla

i just want to know why it is dropping packets that is all what is the exact problem on small pps and why
0
giltjrCommented:
Based on this:

http://www.juniper.net/techpubs/en_US/junos11.4/topics/concept/session-based-processing-for-srx3000-line-overview.html

Since you have a single SPC it is running in "combo" mode, which based on the way I am interpreting this means that 1/2 of it processing is used for CP usage and 1/2 for "normal SPC" (IDS and firewall) functions.  This would drastically reduce the throughput you might expect to get.

I guess we have a different definition of "small."  To me 500,000 packets per second is not small.

Again, the specs published are based on a 3 NPC's and 7 SPC's.  The ONLY way you can find out what it should do with 1 NPC and 1 SPC is to get hold of Juniper.  They are THE experts on their hardware.    Your current situation is exactly why when purchasing hardware you need to engage a pre-sales engineer.

The experts here could tweak and tune forever, if 1 NPC and 1 SPC can't handle the load, it can't handle it.  The way to find that out is to get hold of Juniper.

May I as why you see so resistant to contacting Juniper?
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
FireBallITAuthor Commented:
we are waiting for device assignment more then 15 days

sc
I have found sth. Strange :


GOT: Q# P      PktCnt     ByteCnt   ErrPktCnt     DropCnt Buf RateKbps
GOT: -- - ----------- ----------- ----------- ----------- --- --------
GOT: 0  0   369384137   227541116           0    20840193 225585   411278
GOT: 1  1      186857    15673120           0           0   0        0
GOT: 2  2           0           0           0           0   0        0
GOT: 3  3           0           0           0           0   0        0
GOT: 4  4           0           0           0           0   0        0
GOT: 5  5           0           0           0           0   0        0
GOT: 6  6           0           0           0           0   0        0
GOT: 7  7           0           0           0           0   0        0


GOT: PFE Local Traffic statistics:
GOT:      453238 local packets input
GOT:        8062 local packets output
GOT:           0 software input control high drops
GOT:           0 software input high drops
GOT:         196 software input medium drops
GOT:           0 software input low drops
GOT:           0 software output drops
GOT:  1887420090 hardware input drops

Open in new window



.... fpc12.pic0 command "show pfe stati traf" | no-more
SENT: Ukern command: show pfe stati traf
GOT:
GOT: PFE Traffic statistics:
GOT:            1519267782 packets input  (411687 packets/sec)
GOT:                   489 packets output (0 packets/sec)
GOT:
GOT: PFE Local Traffic statistics:
GOT:      453238 local packets input
GOT:        8062 local packets output
GOT:           0 software input control high drops
GOT:           0 software input high drops
GOT:         196 software input medium drops
GOT:           0 software input low drops
GOT:           0 software output drops
GOT:  1887420090 hardware input drops
GOT:           0 Notification/control packet drops in ISR
GOT:
GOT: PFE Local Protocol statistics:
GOT:           0 hdlc keepalives
GOT:           0 atm oam
GOT:           0 fr lmi
GOT:           0 ppp lcp/ncp
GOT:           0 ospf hello
GOT:           0 ospf3 hello
GOT:           0 rsvp hello
GOT:           0 ldp hello
GOT:           0 bfd
GOT:           0 isis iih
GOT:           0 lacp
GOT:      442993 arp
GOT:           0 ether oam
GOT:           0 synce
GOT:           0 unknown
GOT:
GOT: PFE Hardware Discard statistics:
GOT:                     0 timeout
GOT:                     0 truncated key
GOT:                     0 bits to test
GOT:                     0 data error
GOT:                     0 stack underflow
GOT:                     0 stack overflow
GOT:                 20999 regular discard
GOT:            1972432109 extended/illegal nexthop discard
GOT:                     0 invalid iif
GOT:                     0 info cell drops
GOT:                     0 input drops
GOT:                     0 fabric drops
GOT:                     0 aged packets
GOT:
GOT:
GOT: PFE Input IPv4 Header Checksum Error and Output MTU Error statistics:
GOT:                     0 IPv4 header checksum error
GOT:                     0 MTU error
LOCAL: End of file


Hardware inventory:
Item             Version  Part number  Serial number     Description
Chassis                                xxxxxxxxxxxx      SRX 3600
Midplane         REV 07   710-020310   xxxxxxxxxxxx          SRX 3600 Midplane
PEM 0            rev 08   740-027644   xxxxxxxxxxxx     AC Power Supply
PEM 1            rev 08   740-027644   xxxxxxxxxxxx     AC Power Supply
CB 0             REV 14   750-021914   xxxxxxxxxxxx          SRX3k RE-12-10
  Routing Engine          BUILTIN      BUILTIN           Routing Engine
  CPP                     BUILTIN      BUILTIN           Central PFE Processor
  Mezz           REV 08   710-021035   xxxxxxxxxxxx          SRX HD Mezzanine Card
FPC 0            REV 16   750-021882   xxxxxxxxxxxx          SRX3k SFB 12GE
  PIC 0                   BUILTIN      BUILTIN           8x 1GE-TX 4x 1GE-SFP
FPC 1            REV 20   750-020321   xxxxxxxxxxxx          SRX3k 2x10GE XFP
  PIC 0                   BUILTIN      BUILTIN           2x 10GE-XFP
    Xcvr 0                NON-JNPR     xxxxxxxxxxxx         XFP-10G-SR
    Xcvr 1                NON-JNPR     xxxxxxxxxxxx         XFP-10G-SR
FPC 4            REV 14   750-020321   xxxxxxxxxxxx          SRX3k 2x10GE XFP
  PIC 0                   BUILTIN      BUILTIN           2x 10GE-XFP
    Xcvr 0                NON-JNPR     xxxxxxxxxxxx         XFP-10G-SR
    Xcvr 1                NON-JNPR     xxxxxxxxxxxx         XFP-10G-SR
FPC 10           REV 19   750-017866   xxxxxxxxxxxx          SRX3k NPC
  PIC 0                   BUILTIN      BUILTIN           NPC PIC
FPC 12           REV 13   750-016077   xxxxxxxxxxxx          SRX3k SPC
  PIC 0                   BUILTIN      BUILTIN           SPU Cp-Flow
Fan Tray 0       REV 06   750-021599   xxxxxxxxxxxx          SRX 3600 Fan Tray

Open in new window



root@srx3600.spd.net.tr> ...np tnp-name cpp0 command "show datapath all"
SENT: Ukern command: show datapath all
GOT:
GOT:
GOT: Datapath diagram:
GOT: card: +----- IOC -----+      +--------- NPC --------+      +---- SPC ---+
GOT: dev:     bcm   inverell  SF  newcastle eznp newcastle  SF  swanhill   xlr
GOT: link: ge/xe higi   upoh hsl2 upoh   spi4  spi4   upoh hsl2 upoh   spi4
GOT:
GOT: Datapath fpga version:
GOT: card:   fpga_name   fpga_ver  jspec_ver  match
GOT: ----- ----------- ---------- ---------- ------
GOT: ioc0    inverell0 0x50010179 0x50010179    YES
GOT: ioc1    inverell1 0x50010179 0x50010179    YES
GOT: ioc4    inverell4 0x50010179 0x50010179    YES
GOT: npc10 newcastle10 0x0003000b 0x0003000b    YES
GOT: spc12  swanhill12 0x0102007f 0x0102007f    YES
GOT:
GOT: Datapath fpga sysmon:
GOT:                 Temperature C        Vccint v        Vccaux v
GOT: fpga_name     min   now   max   min  now  max   min  now  max
GOT: ----------- ----- ----- -----  ---- ---- ----  ---- ---- ----
GOT: inverell0   53.65 58.08 58.08  0.98 0.98 0.98  2.50 2.50 2.50
GOT: inverell1   33.96 39.87 40.36  1.00 1.00 1.00  2.50 2.50 2.50
GOT: inverell4   34.45 43.80 44.30  0.98 0.98 0.98  2.50 2.50 2.50
GOT: newcastle10 41.83 47.74 48.23  0.99 0.99 1.00  2.50 2.50 2.50
GOT: swanhill12  44.30 50.20 50.20  0.98 0.98 0.98  2.50 2.50 2.50
GOT:
GOT: Datapath fpga error:
GOT:
GOT: Datapath mapping:
GOT: IOC PIC  NP  NPC
GOT: === ===  === ===
GOT:   0   0    0  10
GOT:   1   0    0  10
GOT:   4   0    0  10
GOT:
GOT: Datapath link and counters:
GOT:
GOT: === ioc0 (IOC Fabric IO) ==============================================
GOT:
GOT: ioc0, inverell0, link status:
GOT: ioc0, HSL2 Rx: Up
GOT: ioc0, HSL2 Tx: Up
GOT: IOC0 HIGIG, XAUI aligned & in sync
GOT: IOC slot 0 BCM565XX summary
GOT: Port       RxPkt      RxByte      RxDrop       TxPkt      TxByte       TxErr Link
GOT: ---- ----------- ----------- ----------- ----------- ----------- ----------- ----
GOT:    0           0           0           0           0           0           0 DOWN
GOT:    1   389674054 25719087817        3750        3495      383168           0   UP
GOT:    2           0           0           0           0           0           0 DOWN
GOT:    3           0           0           0           0           0           0 DOWN
GOT:    4           0           0           0           0           0           0 DOWN
GOT:    5           0           0           0           0           0           0 DOWN
GOT:    6           0           0           0           0           0           0 DOWN
GOT:    7           0           0           0           0           0           0 DOWN
GOT:    8           0           0           0           0           0           0 DOWN
GOT:    9           0           0           0           0           0           0 DOWN
GOT:   10           0           0           0           0           0           0 DOWN
GOT:   11           0           0           0           0           0           0 DOWN
GOT:  HiG0        3496      425198           0   389683349 30395894410           0   UP
GOT:                               -- CoS0 --   390112184
GOT:                               -- CoS1 --           0
GOT:                               -- CoS2 --           0
GOT:                               -- CoS3 --           0
GOT:                               -- CoS4 --           0
GOT:                               -- CoS5 --           0
GOT:                               -- CoS6 --           0
GOT:                               -- CoS7 --       86249
GOT:
GOT: IOC slot 0 BCM565XX pkt counter details
GOT: Port      RxGood     RxPause      TxGood     TxPause
GOT: ---- ----------- ----------- ----------- -----------
GOT:    1   389674164           0        3495           0
GOT:  HiG0        3496           0   389683285           0
GOT:
GOT: IOC slot 0 BCM565XX MAC addresses
GOT: Port         MAC          Extended-MAC
GOT: ---- ----------------- -----------------
GOT:    0 b0:c6:9a:02:d8:00
GOT:    1 b0:c6:9a:02:d8:01
GOT:    2 b0:c6:9a:02:d8:02
GOT:    3 b0:c6:9a:02:d8:03
GOT:    4 b0:c6:9a:02:d8:04
GOT:    5 b0:c6:9a:02:d8:05
GOT:    6 b0:c6:9a:02:db:f0
GOT:    7 b0:c6:9a:02:db:f0
GOT:    8 b0:c6:9a:02:d8:08
GOT:    9 b0:c6:9a:02:d8:09
GOT:   10 b0:c6:9a:02:d8:0a
GOT:   11 b0:c6:9a:02:d8:0b
GOT:
GOT: ioc0, inverell0, hi-giga counters:
GOT: HG.STATS.RX         =   390198748
GOT: HG.STATS.RXBYTE     = 30436086556
GOT: HG.STATS.RXCRC      =           0
GOT: HG.STATS.RXSYNCLOSS =           5
GOT: HG.STATS.TX         =        3497
GOT: HG.STATS.TXPAUSE    =           0
GOT: HG.STATS.TXBYTE     =      441768
GOT:
GOT: === IOC0 -> NPC10i: inverell0, upoh fo counters:
GOT: Dest   Pri   PacketCnt    DataCell   ErrPktCnt
GOT: ------ --- ----------- ----------- -----------
GOT: NPC10i   L   390112796   780232522           0
GOT: NPC10i   H       86249      172498           0
GOT:
GOT: === NPC10i -> IOC0: inverell0, upoh fi counters:
GOT: Src    Port   PacketCnt    DataCell   ErrPktCnt
GOT: ------ ---- ----------- ----------- -----------
GOT: NPC10i    0           0           0           0
GOT: NPC10i    1        3497        8469           0
GOT: NPC10i    2           0           0           0
GOT: NPC10i    3           0           0           0
GOT: NPC10i    4           0           0           0
GOT: NPC10i    5           0           0           0
GOT: NPC10i    6           0           0           0
GOT: NPC10i    7           0           0           0
GOT: NPC10i    8           0           0           0
GOT: NPC10i    9           0           0           0
GOT: NPC10i   10           0           0           0
GOT: NPC10i   11           0           0           0
GOT:
GOT: === ioc1 (IOC 2x10GE_XFP) ==============================================
GOT:
GOT: ioc1, inverell1, link status:
GOT: ioc1, HSL2 Rx: Up
GOT: ioc1, HSL2 Tx: Up
GOT: IOC1 HIGIG, XAUI aligned & in sync
GOT: IOC slot 1 BCM565XX summary
GOT: Port       RxPkt      RxByte      RxDrop       TxPkt      TxByte       TxErr Link
GOT: ---- ----------- ----------- ----------- ----------- ----------- ----------- ----
GOT:    0        2289      201490          36        1956      223172           0   UP
GOT:    1       95078     6730458        4692           0           0           0   UP
GOT:  HiG0        1956      246644           0       92639     7712258           0   UP
GOT:                               -- CoS0 --       12335
GOT:                               -- CoS1 --           0
GOT:                               -- CoS2 --           1
GOT:                               -- CoS3 --           0
GOT:                               -- CoS4 --           0
GOT:                               -- CoS5 --           0
GOT:                               -- CoS6 --           0
GOT:                               -- CoS7 --       80386
GOT:
GOT: IOC slot 1 BCM565XX pkt counter details
GOT: Port      RxGood     RxPause      TxGood     TxPause
GOT: ---- ----------- ----------- ----------- -----------
GOT:    0        2289           0        1956           0
GOT:    1       95078           0           0           0
GOT:  HiG0        1926           0       92639           0
GOT:
GOT: IOC slot 1 BCM565XX MAC addresses
GOT: Port         MAC          Extended-MAC
GOT: ---- ----------------- -----------------
GOT:    0 b0:c6:9a:02:d8:90
GOT:    1 b0:c6:9a:02:d8:91
GOT:
GOT: ioc1, inverell1, hi-giga counters:
GOT: HG.STATS.RX         =       92722
GOT: HG.STATS.RXBYTE     =     7718881
GOT: HG.STATS.RXCRC      =           0
GOT: HG.STATS.RXSYNCLOSS =           4
GOT: HG.STATS.TX         =        1957
GOT: HG.STATS.TXPAUSE    =           0
GOT: HG.STATS.TXBYTE     =      257920
GOT:
GOT: === IOC1 -> NPC10i: inverell1, upoh fo counters:
GOT: Dest   Pri   PacketCnt    DataCell   ErrPktCnt
GOT: ------ --- ----------- ----------- -----------
GOT: NPC10i   L       12336       30266           0
GOT: NPC10i   H       80386      160772           0
GOT:
GOT: === NPC10i -> IOC1: inverell1, upoh fi counters:
GOT: Src    Port   PacketCnt    DataCell   ErrPktCnt
GOT: ------ ---- ----------- ----------- -----------
GOT: NPC10i    0        1957        4960           0
GOT: NPC10i    1           0           0           0
GOT:
GOT: === ioc4 (IOC 2x10GE_XFP) ==============================================
GOT:
GOT: ioc4, inverell4, link status:
GOT: ioc4, HSL2 Rx: Up
GOT: ioc4, HSL2 Tx: Up
GOT: IOC4 HIGIG, XAUI aligned & in sync
GOT: IOC slot 4 BCM565XX summary
GOT: Port       RxPkt      RxByte      RxDrop       TxPkt      TxByte       TxErr Link
GOT: ---- ----------- ----------- ----------- ----------- ----------- ----------- ----
GOT:    0           0           0           0           0           0           0 DOWN
GOT:    1           0           0           0           0           0           0 DOWN
GOT:  HiG0           0           0           0           0           0           0   UP
GOT:                               -- CoS0 --           0
GOT:                               -- CoS1 --           0
GOT:                               -- CoS2 --           0
GOT:                               -- CoS3 --           0
GOT:                               -- CoS4 --           0
GOT:                               -- CoS5 --           0
GOT:                               -- CoS6 --           0
GOT:                               -- CoS7 --           0
GOT:
GOT: IOC slot 4 BCM565XX pkt counter details
GOT: Port      RxGood     RxPause      TxGood     TxPause
GOT: ---- ----------- ----------- ----------- -----------
GOT:
GOT: IOC slot 4 BCM565XX MAC addresses
GOT: Port         MAC          Extended-MAC
GOT: ---- ----------------- -----------------
GOT:    0 b0:c6:9a:02:da:40
GOT:    1 b0:c6:9a:02:da:41
GOT:
GOT: ioc4, inverell4, hi-giga counters:
GOT: HG.STATS.RX         =           0
GOT: HG.STATS.RXBYTE     =           0
GOT: HG.STATS.RXCRC      =           0
GOT: HG.STATS.RXSYNCLOSS =           1
GOT: HG.STATS.TX         =           0
GOT: HG.STATS.TXPAUSE    =           0
GOT: HG.STATS.TXBYTE     =           0
GOT:
GOT: === IOC4 -> NPC10i: inverell4, upoh fo counters:
GOT: Dest   Pri   PacketCnt    DataCell   ErrPktCnt
GOT: ------ --- ----------- ----------- -----------
GOT: NPC10i   L           0           0           0
GOT: NPC10i   H           0           0           0
GOT:
GOT: === NPC10i -> IOC4: inverell4, upoh fi counters:
GOT: Src    Port   PacketCnt    DataCell   ErrPktCnt
GOT: ------ ---- ----------- ----------- -----------
GOT: NPC10i    0           0           0           0
GOT: NPC10i    1           0           0           0
GOT:
GOT: === npc10 (NPC) ==============================================
GOT:
GOT: npc10, newcastle10, link status:
GOT: npc10, spc domain, HSL2 Rx: Up
GOT: npc10, spc domain, HSL2 Tx: Up
GOT: npc10, ioc domain, HSL2 Rx: Up
GOT: npc10, ioc domain, HSL2 Tx: Up
GOT: NPC10, spc domain, SPI-4 link UP
GOT: NPC10, ioc domain, SPI-4 link UP
GOT:
GOT: === IOCs -> NPC10i: newcastle10, ioc domain, upoh fi counters:
GOT: Src    Pri   PacketCnt    DataCell   ErrPktCnt
GOT: ------ --- ----------- ----------- -----------
GOT: IOC0     L   390128613   780264161           0
GOT: IOC0     H       86250      172500           0
GOT: IOC1     L       12336       30266           0
GOT: IOC1     H       80387      160774           0
GOT: IOC4     L           0           0           0
GOT: IOC4     H           0           0           0
GOT:
GOT: === NPC10i -> IOCs: newcastle10, ioc domain, upoh fo counters:
GOT: Dest   port   PacketCnt    DataCell   ErrPktCnt
GOT: ------ ---- ----------- ----------- -----------
GOT: IOC0      0           0           0           0
GOT: IOC0      1        3497        8469           0
GOT: IOC0      2           0           0           0
GOT: IOC0      3           0           0           0
GOT: IOC0      4           0           0           0
GOT: IOC0      5           0           0           0
GOT: IOC0      6           0           0           0
GOT: IOC0      7           0           0           0
GOT: IOC0      8           0           0           0
GOT: IOC0      9           0           0           0
GOT: IOC0     10           0           0           0
GOT: IOC0     11           0           0           0
GOT: IOC1      0        1957        4960           0
GOT: IOC1      1           0           0           0
GOT: IOC4      0           0           0           0
GOT: IOC4      1           0           0           0
GOT:
GOT: === NPC10i, newcastle-ioc -> ez: newcastle10 ioc domain SPI-4 SRC counters:
GOT: IOC Pri chan     PktCnt    ByteCnt      BPCnt  ErrPktCnt DIP2ErrCnt
GOT: --- --- ---- ---------- ---------- ---------- ---------- ----------
GOT: 0     L    0  390129178 1539983424          0          0          0
GOT: 0     H    1      86250    5876868          0          0          0
GOT: 1     L    2      12336    1510797          0          0          0
GOT: 1     H    3      80387    5466376          0          0          0
GOT: 4     L    8          0          0          0          0          0
GOT: 4     H    9          0          0          0          0          0
GOT:
GOT: === NPC10i, ez -> newcastle-ioc: newcastle10 ioc domain SPI-4 SNK counters:
GOT: IOC Port chan     PktCnt    ByteCnt BPCnt L.Ch  ErrPktCnt DIP4ErrCnt
GOT: --- ---- ---- ---------- ---------- ---------- ---------- ----------
GOT: 0      0    0          0          0     0.   0          0          0
GOT: 0      1    1       3497          0     0.   0          0          0
GOT: 0      2    2          0          0     0.   0          0          0
GOT: 0      3    3          0          0     0.   0          0          0
GOT: 0      4    4          0          0     0.   0          0          0
GOT: 0      5    5          0          0     0.   0          0          0
GOT: 0      6    6          0          0     0.   0          0          0
GOT: 0      7    7          0          0     0.   0          0          0
GOT: 0      8    8          0          0     0.   0          0          0
GOT: 0      9    9          0          0     0.   0          0          0
GOT: 0     10   10          0          0     0.   0          0          0
GOT: 0     11   11          0          0     0.   0          0          0
GOT: 1      0   16       1957          0     0.   0          0          0
GOT: 1      1   17          0          0     0.   0          0          0
GOT: 4      0   64          0          0     0.   0          0          0
GOT: 4      1   65          0          0     0.   0          0          0
GOT:
GOT: === npc10, npez, link status(spi-a: ioc domain, spi-b: spc domain):
GOT: spi-a:0000000F    spi-b:0000000F
GOT: SPI-A sync status: all up
GOT: SPI-B sync status: all up
GOT:
GOT: === npc10, npez, counters:
GOT:  Channel #:  0
GOT: --------- NP ingress ---------
GOT: Received packets:   390372517
GOT:  Data packets:              390372517
GOT:  HA packets:                0
GOT:  NP bundle packets:         0
GOT: Forwarded packets:          390362389
GOT:  SF to CP/SPU pkts:         390362389
GOT:  SF to NP pkts:     0
GOT:  Line Intf packets:         0
GOT: Dropped packets:    10136
GOT: --------- NP egress ---------
GOT: Received packets:   16930
GOT:  Data+HA packets:   5454
GOT:  Message packets:   11476
GOT: Transmitted packets:        5454
GOT: Dropped packets:    0
GOT:
GOT: ********* NP debug *********
GOT: --- flow counters ---
GOT: RSV_SRCH_HIT_CNT                :               4000
GOT: RSV_FRAG_SRCH_HIT_CNT           :                  0
GOT: RSV_SRCH_MISS_CNT               :              13458
GOT: RSV_FRAG_SRCH_MISS_CNT          :                  0
GOT: RSV_FLOW_ADD_CNT                :               5795
GOT: RSV_FLOW_DEL_CNT                :               5681
GOT: PRS_FLOW_CNT                    :          390203431
GOT: PRS_V6_FLOW_CNT                 :                  0
GOT: PRS_NON_FLOW_CNT                :                  0
GOT: RSV_FRAG_SPU_PKT_CNT            :                  0
GOT: MDF_SESS_MISS_TO_SPU            :                  0
GOT: --- fast flow counters ---
GOT: RSV_LOW_LAT_FLOW_ADD_CNT        :                  0
GOT: RSV_LOW_LAT_FLOW_DEL_CNT        :                  0
GOT: RSV_LOW_LAT_FLOW_DUP_ADD_CNT    :                  0
GOT: RSV_LOW_LAT_FLOW_UPDATE_CNT     :                  0
GOT: RSV_LOW_LAT_NO_IFL_DROP_CNT     :                  0
GOT: RSV_LOW_LAT_FAST_FW_CNT         :                  0
GOT: RSV_LOW_LAT_SPU_FW_CNT          :                  0
GOT: MDF_FAST_FW_RCV_CNT             :                  0
GOT: MDF_FAST_FWD_RCV_FRAG_CNT       :                  0
GOT: MDF_FAST_FW_PACKET_CNT          :                  0
GOT: MDF_FAST_COPY_PACKET_CNT        :                  0
GOT: MDF_FAST_FW_X_NP_CNT            :                  0
GOT: PRS_LOW_LAT_ERR_RX_SLOT         :                  0
GOT: MDF_FAST_PREF_BUF_ERROR         :                  0
GOT: MDF_FAST_TCP_WIN_DROP_CNT       :                  0
GOT: MDF_FAST_FW_VSD_DROP_CNT        :                  0
GOT: MDF_FAST_FW_TTL_DROP_CNT        :                  0
GOT: --- screen counters ---
GOT: PRS_SCREEN_CNT                  :                  0
GOT: RSV_SCREEN_CNT                  :                  0
GOT: MDF_SCREEN_CNT                  :                  0
GOT: --- error counters ---
GOT: PRS_WRONG_DMAC_CNT              :                  0
GOT: PRS_EXCEED_MTU_CNT              :                  0
GOT: PRS_UN_SUPPORTED_PAK_CNT        :              10124
GOT: PRS_NO_IFL_CNT                  :                  0
GOT: PRS_NO_IFL_PASS_CNT             :                  0
GOT: PRS_NO_TOKEN_CNT                :                  0
GOT: PRS_SANITY_ERR_CNT              :                  0
GOT: PRS_HA_SANITY_ERR_CNT           :                  0
GOT: --- packet drop counters ---
GOT: RSV_DIRECT_DROP_CNT             :              10124
GOT: MDF_RX_DISCARD_CNT              :              10136
GOT: RSV_APPQOS_DROP_CNT             :                  0
GOT: PRS_INVALID_PKT_TYPE_CNT        :                  0
GOT: MDF_TX_DATA_DISCARD_CNT         :                  0
GOT: MDF_DROP_PACKET_CNT             :                  0
GOT: MDF_DROP_CTL_PAK_CNT            :                  0
GOT: --- packet type and fragmentation counters ---
GOT: PRS_NON_IP_CNT                  :             159217
GOT: PRS_NON_ETH_II_CNT              :               2362
GOT: PRS_L2_CNT                      :                  0
GOT: PRS_V4_CNT                      :          390203417
GOT: PRS_V6_CNT                      :               7762
GOT: PRS_V6_ICMP_CNT                 :                  0
GOT: PRS_V6_EXT_HOH_CNT              :                  0
GOT: PRS_V6_EXT_ROUTING_CNT          :                  0
GOT: PRS_V6_EXT_DSTOPT_CNT           :                  0
GOT: PRS_V6_EXT_FRAG_CNT             :                  0
GOT: PRS_FRAG_1ST_CNT                :                  0
GOT: PRS_FRAG_NON_1ST_CNT            :          390185814
GOT: RSV_FRAG_1ST_CNT                :                  0
GOT: RSV_FRAG_NON_1ST_CNT            :          390185822
GOT: RSV_FRAG_SESS_MATCH             :                  0
GOT: RSV_FRAG_SESS_MISS              :                  0
GOT: MDF_FRAG_CNT                    :          390185836
GOT: MDF_FRAG_MATCH                  :                  0
GOT: --- NP bundle counters ---
GOT: PRS_RCV_NP_MASTER_PACKET_CNT    :                  0
GOT: RSV_RCV_NP_MASTER_PACKET_CNT    :                  0
GOT: MDF_RCV_NP_MASTER_PACKET_CNT    :                  0
GOT: PRS_RCV_NP_HELPER_PACKET_CNT    :                  0
GOT: RSV_RCV_NP_HELPER_PACKET_CNT    :                  0
GOT: MDF_RCV_NP_HELPER_PACKET_CNT    :                  0
GOT: --- E2E counters ---
GOT: E2E_PRS_RX_CNT                  :          390370549
GOT: E2E_PRS_RX_IPV4_CNT             :          390203711
GOT: E2E_PRS_RX_IPV6_CNT             :               7762
GOT: E2E_PRS_RX_NONIP_CNT            :             159217
GOT: E2E_RSV_RX_CNT                  :          390362790
GOT: E2E_MDF_RX_CNT                  :          390362794
GOT: E2E_PRS_TX_CNT                  :               5301
GOT: E2E_RSV_TX_CNT                  :               5301
GOT: E2E_MDF_TX_CNT                  :               5301
GOT: E2E_RSV_RX_MATCH_0              :          390362809
GOT: E2E_RSV_RX_MATCH_1              :                  0
GOT: E2E_RSV_RX_MATCH_2              :                  0
GOT: E2E_RSV_RX_MATCH_3              :                  0
GOT: E2E_MDF_RX_MATCH_0              :                  0
GOT: E2E_MDF_RX_MATCH_1              :                  0
GOT: E2E_MDF_RX_MATCH_2              :                  0
GOT: E2E_MDF_RX_MATCH_3              :                  0
GOT: E2E_MDF_RX_ADD_HDR_0            :                  0
GOT: E2E_MDF_RX_ADD_HDR_1            :                  0
GOT: E2E_MDF_RX_ADD_HDR_2            :                  0
GOT: E2E_MDF_RX_ADD_HDR_3            :                  0
GOT: E2E_MDF_TX_DEL_HDR              :                  0
GOT: E2E_RSV_SEQ_NUM                 :                  0
GOT: E2E_PKT_SEQ_NUM                 :          390362870
GOT: E2E_MDF_TX_MATCH_0              :               5301
GOT: E2E_MDF_TX_MATCH_1              :                  0
GOT: E2E_MDF_TX_MATCH_2              :                  0
GOT: E2E_MDF_TX_MATCH_3              :                  0
GOT: E2E_MDF_RX_HA_E2E_HDR           :                  0
GOT: E2E_MDF_TX_HA_E2E_HDR           :                  0
GOT: E2E_RSV_RX_HA_MATCH             :                  0
GOT: --- Misc counters ---
GOT: PRS_RCV_PACKET_CNT              :          390372517
GOT: RSV_RCV_PACKET_CNT              :          390362397
GOT: MDF_RCV_PACKET_CNT              :          390362389
GOT: PRS_TX_PACKET_CNT               :              16930
GOT: RSV_TX_PACKET_CNT               :              11249
GOT: MDF_TX_PACKET_CNT               :               5454
GOT: MDF_TX_LOOPBK_CNT               :                  0
GOT: PRS_TX_DATA_PACKET_CNT          :               5454
GOT: PRS_INVALID_PKT_SRC_ID          :                  0
GOT: MDF_TX_MSG_DISCARD_CNT          :              11476
GOT: RSV_HI_PRI_DATA_PAK_CNT         :                  0
GOT: PRS_HA_CNT                      :                  0
GOT: RSV_HA_CNT                      :                  0
GOT: MDF_HA_CNT                      :                  0
GOT: PRS_HA_HASH_TLV_CNT             :                  0
GOT: PRS_HA_QOS_TLV_CNT              :                  0
GOT: PRS_HA_OTHERS_TLV_CNT           :                  0
GOT: PRS_2_HOST_CNT                  :                  0
GOT: RSV_2_HOST_CNT                  :                  0
GOT: MDF_2_HOST_CNT                  :                  0
GOT: PRS_DEBUG_ADDR                  :                  0
GOT: RSV_DEBUG_ADDR                  :                  0
GOT: MDF_DEBUG_ADDR                  :                  0
GOT:
GOT: === NPC10s, ez -> newcastle-spc: newcastle10 spc domain SPI-4 SNK counters:
GOT: SPC Pri chan     PktCnt    ByteCnt BPCnt L.Ch  ErrPktCnt DIP4ErrCnt
GOT: --- --- ---- ---------- ---------- ---------- ---------- ----------
GOT: 12    L   24  390205791 1933044383     0.   0          0          0
GOT: 12    H   25     158991   12719424     0.   0          0          0
GOT:
GOT: === NPC10s, newcastle-spc -> ez: newcastle10 spc domain SPI-4 SRC counters:
GOT: SPC Pri chan     PktCnt    ByteCnt      BPCnt  ErrPktCnt DIP2ErrCnt
GOT: --- --- ---- ---------- ---------- ---------- ---------- ----------
GOT: 12    L    0      16930    1611992          0          0          0
GOT: 12    H    1          0          0          0          0          0
GOT:
GOT: === NPC10s -> SPCs: newcastle10, spc domain, upoh fo counters:
GOT: Dest   Pri   PacketCnt    DataCell   ErrPktCnt
GOT: ------ --- ----------- ----------- -----------
GOT: SPC12    L   390206470   780422603           0
GOT: SPC12    H      158991      317982           0
GOT:
GOT: === SPCs -> NPC10s: newcastle10, spc domain, upoh fi counters:
GOT: Src    Pri   PacketCnt    DataCell   ErrPktCnt
GOT: ------ --- ----------- ----------- -----------
GOT: SPC12    L       16930       36545           0
GOT: SPC12    H           0           0           0
GOT:
GOT: === spc12 (SPC RMIx1) ==============================================
GOT:
GOT: spc12, swanhill12, link status:
GOT: spc12, HSL2 Rx: Up
GOT: spc12, HSL2 Tx: Up
GOT: SPC12 SPI-4 link UP
GOT:
GOT: SPC12, XLR status:
GOT: SPU12, state: SPU_STATE_WORKING, interrupt cnt 2045, startup 1.
GOT: CPU states: 84.3% user,  0.0% nice,  0.0% system,  0.0% interrupt, 15.6% idle
GOT: Mem: 36128K Active, 23096K Inact, 2961100K Wired, 456K Cache, 834636K Free
GOT: Flow usage: 10%, peak 58%, above 90% 0 times, longest 0 sec.
GOT: Flow pkt_mbuf usage: 3, peak 500, above 500 1 times, longest 1 sec.
GOT: SPU mbuf leak: pkt 0% peak 0%, host 0%, jmpi 0%.
GOT: SPU ECC: ch0 0 0 ch2 0 0, correctable 0, uncorrectable 0
GOT: SPU SPI4 DIP4 err: 0
GOT:     SPI4 tap (XLR): min 2, max 2; FPGA phase: 0, calib count 0
GOT: Nitrox ok_cnt 1, err_cnt 0
GOT:
GOT: === NPCs/SPCs -> SPC12: swanhill12, upoh fi counters:
GOT: Src    Pri   PacketCnt    DataCell   ErrPktCnt
GOT: ------ --- ----------- ----------- -----------
GOT: NPC10s   L   390208169   780426001           0
GOT: NPC10s   H      158991      317982           0
GOT: SPC12    L       15455       56885           0
GOT: SPC12    H       27866       55710           0
GOT:
GOT: === SPC12 -> NPCs/SPCs: swanhill12, upoh fo counters:
GOT: Dest   Pri   PacketCnt    DataCell   ErrPktCnt
GOT: ------ --- ----------- ----------- -----------
GOT: NPC10s   L       16930       36545           0
GOT: NPC10s   H           0           0           0
GOT: SPC12    L       15455       56885           0
GOT: SPC12    H       27866       55710           0
GOT:
GOT: === SPC12, swanhill12, Ingress Bus Monitors:
GOT: ------ IPP ----
GOT: PKT_FILTER_CRT_CNT     = 0
GOT: PKT_FILTER_DROP_CNT    = 0
GOT: PKT_FILTER_ERR_CNT     = 0
GOT: CROSSBAR_TIMEOUT_CNT   = 0
GOT: BusMonitorCntr       IPP_in    IPP_out    SPI4_tx
GOT: ---------------- ---------- ---------- ----------
GOT: SOP_CNT           390410767  390410769  369495423
GOT: EOP_CNT           390410790  390410793  369495435
GOT: ERR_CNT                   0          0          0
GOT: BYTE_CNT         1952111738 1952111902  237020480
GOT: SOP_EOP_ERR(E.S)     0.   0     0.   0     0.   0
GOT: MIN_PKT_SIZE             80         80         80
GOT: MAX_PKT_SIZE           1616       1616       1616
GOT: SZ_ERR_CNT(O.U)      0.   0     0.   0     0.   0
GOT:
GOT: === SPC12, swanhill12, Egress Bus Monitors:
GOT: ------ EPP ------
GOT: PKT_FILTER_CRT_CNT     = 0
GOT: PKT_FILTER_DROP_CNT    = 0
GOT: PKT_FILTER_ERR_CNT     = 0
GOT: BusMonitorCntr       EPP_in    EPP_out    UPOH_tx
GOT: ---------------- ---------- ---------- ----------
GOT: SOP_CNT               60251      60251      60251
GOT: EOP_CNT               60251      60251      60251
GOT: ERR_CNT                   0          0          0
GOT: BYTE_CNT            7531321    7724841    7724841
GOT: SOP_EOP_ERR(E.S)     0.   0     0.   0     0.   0
GOT: MIN_PKT_SIZE             60         80         80
GOT: MAX_PKT_SIZE           1616       1616       1616
GOT: SZ_ERR_CNT(O.U)      0.   0     0.   0     0.   0
GOT:
GOT: === SPC12, swanhill -> XLR: swanhill12 SPI-4 SRC counters:
GOT:     PktCnt    ByteCnt      BPCnt  ErrPktCnt DIP2ErrCnt
GOT: ---------- ---------- ---------- ---------- ----------
GOT:  369495608  237032452 2531138157          0          0
GOT:
GOT: === SPC12, XLR -> swanhill: swanhill12 SPI-4 SNK counters:
GOT:     PktCnt    ByteCnt      BPCnt  ErrPktCnt DIP4ErrCnt
GOT: ---------- ---------- ---------- ---------- ----------
GOT:      60251    7531321          0          0          0
GOT:
GOT: === spc12, swanhill12, Ingress, QOS, per queue counters:
GOT: Q# P      PktCnt     ByteCnt   ErrPktCnt     DropCnt Buf RateKbps
GOT: -- - ----------- ----------- ----------- ----------- --- --------
GOT: 0  0   369384137   227541116           0    20840193 225585   411278
GOT: 1  1      186857    15673120           0           0   0        0
GOT: 2  2           0           0           0           0   0        0
GOT: 3  3           0           0           0           0   0        0
GOT: 4  4           0           0           0           0   0        0
GOT: 5  5           0           0           0           0   0        0
GOT: 6  6           0           0           0           0   0        0
GOT: 7  7           0           0           0           0   0        0
GOT:
GOT: === spc12, swanhill12, Egress, QOS, per queue counters:
GOT: Dest   P Q#      PktCnt     ByteCnt   ErrPktCnt     DropCnt Buf RateKbps
GOT: ------ - -- ----------- ----------- ----------- ----------- --- --------
GOT: NPC10s L 13       16930     1611992           0           0   0        0
GOT: NPC10s H 29           0           0           0           0   0        0
GOT: SPC12  L 12       15455     3159153           0           0   0        0
GOT: SPC12  H 28       27866     2953696           0           0   0        0
GOT:
GOT: === spc12, swanhill12, DDR2, ECC counters:
GOT: ---------------------------------------------------
GOT:                      Cntr[31:16]     Cntr[15:0]
GOT: DDR2_SB_ERR[0]            0               0
GOT: DDR2_SB_ERR[1]            0               0
GOT: DDR2_DB_ERR[0]            0               0
GOT: DDR2_DB_ERR[1]            0               0
GOT:
GOT: Flow control status:
GOT: IOC slot 0:
GOT: tx_strm inst slot peer_slot enable stuck_cnt rst_cnt
GOT: ------- ---- ---- --------- ------ --------- -------
GOT:     0     0    0      10       Y         0       0
GOT:     1     0    0      10       Y         0       0
GOT: rx_strm inst slot pr_strm pr_inst pr_slot enable stuck_cnt rst_cnt    nrsn
GOT: ------- ---- ---- ------- ------- ------- ------ ---------------- ----------
GOT:     0     0    0      0      0      10       Y         3       0   0x00000000
GOT:     1     0    0      1      0      10       Y         0       0   0x00000115
GOT:     2     0    0      2      0      10       Y         3       0   0x00000000
GOT:     3     0    0      3      0      10       Y         3       0   0x00000000
GOT:     4     0    0      4      0      10       Y         3       0   0x00000000
GOT:     5     0    0      5      0      10       Y         3       0   0x00000000
GOT:     6     0    0      6      0      10       Y         3       0   0x00000000
GOT:     7     0    0      7      0      10       Y         3       0   0x00000000
GOT:     8     0    0      8      0      10       Y         3       0   0x00000000
GOT:     9     0    0      9      0      10       Y         3       0   0x00000000
GOT:    10     0    0     10      0      10       Y         3       0   0x00000000
GOT:    11     0    0     11      0      10       Y         3       0   0x00000000
GOT:    12     0    0     12      0      10       Y         3       0   0x00000000
GOT:    13     0    0     13      0      10       Y         3       0   0x00000000
GOT:    14     0    0     14      0      10       Y         3       0   0x00000000
GOT:    15     0    0     15      0      10       Y         3       0   0x00000000
GOT:
GOT: IOC slot 1:
GOT: tx_strm inst slot peer_slot enable stuck_cnt rst_cnt
GOT: ------- ---- ---- --------- ------ --------- -------
GOT:     0     0    1      10       Y         0       0
GOT:     1     0    1      10       Y         0       0
GOT: rx_strm inst slot pr_strm pr_inst pr_slot enable stuck_cnt rst_cnt    nrsn
GOT: ------- ---- ---- ------- ------- ------- ------ ---------------- ----------
GOT:     0     0    1     16      1      10       Y         1       0   0x0000035e
GOT:     1     0    1     17      1      10       Y         3       0   0x00000000
GOT:     2     0    1     18      1      10       Y         3       0   0x00000000
GOT:     3     0    1     19      1      10       Y         3       0   0x00000000
GOT:     4     0    1     20      1      10       Y         3       0   0x00000000
GOT:     5     0    1     21      1      10       Y         3       0   0x00000000
GOT:     6     0    1     22      1      10       Y         3       0   0x00000000
GOT:     7     0    1     23      1      10       Y         3       0   0x00000000
GOT:     8     0    1     24      1      10       Y         3       0   0x00000000
GOT:     9     0    1     25      1      10       Y         3       0   0x00000000
GOT:    10     0    1     26      1      10       Y         3       0   0x00000000
GOT:    11     0    1     27      1      10       Y         3       0   0x00000000
GOT:    12     0    1     28      1      10       Y         3       0   0x00000000
GOT:    13     0    1     29      1      10       Y         3       0   0x00000000
GOT:    14     0    1     30      1      10       Y         3       0   0x00000000
GOT:    15     0    1     31      1      10       Y         3       0   0x00000000
GOT:
GOT: IOC slot 4:
GOT: tx_strm inst slot peer_slot enable stuck_cnt rst_cnt
GOT: ------- ---- ---- --------- ------ --------- -------
GOT:     0     0    4      10       Y         0       0
GOT:     1     0    4      10       Y         0       0
GOT: rx_strm inst slot pr_strm pr_inst pr_slot enable stuck_cnt rst_cnt    nrsn
GOT: ------- ---- ---- ------- ------- ------- ------ ---------------- ----------
GOT:     0     0    4     64      4      10       Y         3       0   0x00000000
GOT:     1     0    4     65      4      10       Y         3       0   0x00000000
GOT:     2     0    4     66      4      10       Y         3       0   0x00000000
GOT:     3     0    4     67      4      10       Y         3       0   0x00000000
GOT:     4     0    4     68      4      10       Y         3       0   0x00000000
GOT:     5     0    4     69      4      10       Y         3       0   0x00000000
GOT:     6     0    4     70      4      10       Y         3       0   0x00000000
GOT:     7     0    4     71      4      10       Y         3       0   0x00000000
GOT:     8     0    4     72      4      10       Y         3       0   0x00000000
GOT:     9     0    4     73      4      10       Y         3       0   0x00000000
GOT:    10     0    4     74      4      10       Y         3       0   0x00000000
GOT:    11     0    4     75      4      10       Y         3       0   0x00000000
GOT:    12     0    4     76      4      10       Y         3       0   0x00000000
GOT:    13     0    4     77      4      10       Y         3       0   0x00000000
GOT:    14     0    4     78      4      10       Y         3       0   0x00000000
GOT:    15     0    4     79      4      10       Y         3       0   0x00000000
GOT:
GOT: NPC slot 10 (IOC Domain):
GOT: tx_strm inst slot peer_slot enable stuck_cnt rst_cnt
GOT: ------- ---- ---- --------- ------ --------- -------
GOT:     0     0   10       0       Y         0       0
GOT:     1     0   10       0       Y         0       0
GOT:     2     0   10       0       Y         0       0
GOT:     3     0   10       0       Y         0       0
GOT:     4     0   10       0       Y         0       0
GOT:     5     0   10       0       Y         0       0
GOT:     6     0   10       0       Y         0       0
GOT:     7     0   10       0       Y         0       0
GOT:     8     0   10       0       Y         0       0
GOT:     9     0   10       0       Y         0       0
GOT:    10     0   10       0       Y         0       0
GOT:    11     0   10       0       Y         0       0
GOT:    12     0   10       0       Y         0       0
GOT:    13     0   10       0       Y         0       0
GOT:    14     0   10       0       Y         0       0
GOT:    15     0   10       0       Y         0       0
GOT:    16     1   10       1       Y         0       0
GOT:    17     1   10       1       Y         0       0
GOT:    18     1   10       1       Y         0       0
GOT:    19     1   10       1       Y         0       0
GOT:    20     1   10       1       Y         0       0
GOT:    21     1   10       1       Y         0       0
GOT:    22     1   10       1       Y         0       0
GOT:    23     1   10       1       Y         0       0
GOT:    24     1   10       1       Y         0       0
GOT:    25     1   10       1       Y         0       0
GOT:    26     1   10       1       Y         0       0
GOT:    27     1   10       1       Y         0       0
GOT:    28     1   10       1       Y         0       0
GOT:    29     1   10       1       Y         0       0
GOT:    30     1   10       1       Y         0       0
GOT:    31     1   10       1       Y         0       0
GOT:    64     4   10       4       Y         0       0
GOT:    65     4   10       4       Y         0       0
GOT:    66     4   10       4       Y         0       0
GOT:    67     4   10       4       Y         0       0
GOT:    68     4   10       4       Y         0       0
GOT:    69     4   10       4       Y         0       0
GOT:    70     4   10       4       Y         0       0
GOT:    71     4   10       4       Y         0       0
GOT:    72     4   10       4       Y         0       0
GOT:    73     4   10       4       Y         0       0
GOT:    74     4   10       4       Y         0       0
GOT:    75     4   10       4       Y         0       0
GOT:    76     4   10       4       Y         0       0
GOT:    77     4   10       4       Y         0       0
GOT:    78     4   10       4       Y         0       0
GOT:    79     4   10       4       Y         0       0
GOT: rx_strm inst slot pr_strm pr_inst pr_slot enable stuck_cnt rst_cnt    nrsn
GOT: ------- ---- ---- ------- ------- ------- ------ ---------------- ----------
GOT:     0     0   10      0      0       0       Y         0       0   0x00000665
GOT:     1     0   10      1      0       0       Y         0       0   0x000001ba
GOT:     2     1   10      0      0       1       Y         0       0   0x00000632
GOT:     3     1   10      1      0       1       Y         0       0   0x000003ee
GOT:     8     4   10      0      0       4       Y         3       0   0x00000000
GOT:     9     4   10      1      0       4       Y         3       0   0x00000000
GOT:
GOT: NPC slot 10 (SPC Domain):
GOT: rx_strm inst slot pr_strm pr_inst pr_slot enable stuck_cnt rst_cnt    nrsn
GOT: ------- ---- ---- ------- ------- ------- ------ ---------------- ----------
GOT:
GOT: SPC slot 12:
GOT: tx_strm inst slot peer_slot enable stuck_cnt rst_cnt
GOT: ------- ---- ---- --------- ------ --------- -------
GOT:    13    13   12      10       Y         0       0
GOT:    29    13   12      10       Y         0       0
GOT:
GOT:
GOT: Flow control reset on stuck : enabled
LOCAL: End of file

root@srx3600.spd.net.tr>

Open in new window

0
FireBallITAuthor Commented:
Since you have a single SPC it is running in "combo" mode, which based on the way I am interpreting this means that 1/2 of it processing is used for CP usage and 1/2 for "normal SPC" (IDS and firewall) functions.  This would drastically reduce the throughput you might expect to get.

but spc cpu never reached to the 100%



I guess we have a different definition of "small."  To me 500,000 packets per second is not small.

I do not want to describe quantity of the packets with smal , i want to tell its data length like 40bytes





and again i am not asking why this device is not capable to handle xxxxx pps , i just want to know what is blocking the packets at the moment. I know that is not a full device but we can not figure the problem

Is it routing engine issue ? NPC issue ? SPC issue  ?

if it is an npc issue we will plan a cluster and load balancer
if it is an spc issue we will buy spc ....

we try to decide the problem depending on our needs.
0
David PiniellaCommented:
we are waiting for device assignment more then 15 days


like, you called juniper and you're still waiting? seriously, call them up again and escalate the case. If this is a problem you need solved and you need specific answers about their hardware, you need a juniper tech talking to you on the phone.
0
FireBallITAuthor Commented:
yesterday they send an email "now one last step then you should request a support contract " bla bla bla :)
I think this problem will be resolved next week. We are just looking for logical answer why that happens that is all
0
giltjrCommented:
Just updated one of your other posts on this.  Reviewing your config and looking at some of the display you have done it appears you are running your simulated attacks so that the traffic is hitting the SRX on the ge-0/0/1 interface.

You have not put this interface in any zones and you are allowing all traffic  inbound with no limitations and no filtering.

Is this correct?  If so you need to setup the network so that your simulated attack comes in on the xe-1/0/0.0 interface, which is in the DisNetwork.  I am assuming that DisNetwork is what most people would call their outside/untrust network.
0
FireBallITAuthor Commented:
you were right, we checked deeply from bsd and see that it has been occured hardware drops too much. It does not capable to apply filters while there is only one spc on this much traffic . Thank you
0
giltjrCommented:
I think you need to look at the path the data takes when you are doing your testing.    If you look at the output from the command "show datapath all"

You will see that almost all of your traffic is hitting IOC 0 Interface 1, which is your 1 Gbps card.

Very little if any traffic is hitting the interfaces on IOC 1, where you 10 Gbe interface are.  The interface you have applied all your security settings to is on IOC 1, not IOC 0.

Basically from what the displays and the last config you posted you are attacking an unprotected interface.  You need change your test setup so that the traffic from the test/attacking box hits the 10 Gbe interface, not the 1 Gbe interface.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.