Juniper ssg 140 is not letting bandwidth through

Greetings experts,

I have a Juniper SSG 140, firmware 6.1.0r2.0, there is an update.. I will upgrade tonight.  

The problem is that my Internet speed tests are coming back at about 50 megs download, while I have a 200 meg connection.  The upload is 20 meg and working fine.

I have rebooted everything. The only other thing I did was try and switch the link to auto from full-duplex.  I ran the command: set interface e0\2 phy auto

When we hook a laptop directly into the cable modem and configure the static IP, we get the proper speed.
Any ideas on why the firewall isn’t letting the bandwidth through?  

Below is a get interface of the Internet connection.


NYCCD-Manhatan-> get interface e0/2
Interface ethernet0/2:
  description ethernet0/2
  number 6, if_info 4848, if_index 0, mode nat
  link up, phy-link up/full-duplex
  vsys Root, zone Untrust, vr trust-vr
  dhcp client disabled
  PPPoE disabled
  admin mtu 0, operating mtu 1500, default mtu 1500
  *ip xxxxxxxx
  gateway xxxxxx
  *manage ip xxxxxxxxx
  route-deny disable
  pmtu-v4 disabled
  ping enabled, telnet disabled, SSH disabled, SNMP disabled
  web disabled, ident-reset disabled, SSL disabled
  DNS Proxy disabled, webauth disabled, g-arp enabled, webauth-ip
  OSPF disabled  BGP disabled  RIP disabled  RIPng disabled  mtrace disabled
  PIM: not configured  IGMP not configured
  NHRP disabled
  bandwidth: physical 100000kbps, configured egress [gbw 0kbps mbw 0kbps]
             configured ingress mbw 0kbps, current bw 0kbps
             total allocated gbw 0kbps
  DHCP-Relay disabled at interface level
  DHCP-server disabled
sw session infinity loop 0
Number of SW session: 47068, hw sess err cnt 0
Kacey FernSystem EngineerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Qlemo"Batchelor", Developer and EE Topic AdvisorCommented:
This line
 bandwidth: physical 100000kbps, configured egress [gbw 0kbps mbw 0kbps]
tells that you have a 100MBit/s interface, which is quite normal for a SSG 140 - it doesn't have in-built GBit ports. But you should still get more than 50MBit/s then.
The Trust interface is a different one, I suppose? That will again be restricted to 100MBit.
Kacey FernSystem EngineerAuthor Commented:
right.. any idea why I would only get the 50?
Qlemo"Batchelor", Developer and EE Topic AdvisorCommented:
I've just looked up the specs. and the SSG 140 should have 2 Gbit ports. The throughput is specified as 300Mbit/s, and sufficient.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Defend Against the Q2 Top Security Threats

Were you aware that overall malware worldwide was down a surprising 42% from Q1'18? Every quarter, the WatchGuard Threat Lab releases an Internet Security Report that analyzes the top threat trends impacting companies worldwide. Learn more by viewing our on-demand webinar today!

Kacey FernSystem EngineerAuthor Commented:
ok, it doesn't make sense that I would only get 50 down, but what I'll do is go in tomorrow and try and put the WAN on one of the gigabit ports.  I'll comment back tomorrow afternoon after this is done.
thanks for your help..
Qlemo"Batchelor", Developer and EE Topic AdvisorCommented:
Of course you also need to use the other GBit port for LAN, or expect to be capped at 80 MBit or so.
Kacey FernSystem EngineerAuthor Commented:
Kacey FernSystem EngineerAuthor Commented:
This is the first time I'm attempting to used the gigabit ports.  As luck would have it, I don't know how...

I tried to give port 0/9 or 0/8 a static IP and set the zone to untrust.. this did not work.  I unset the IP for 0/2 (the original untrust) which did nothing.  I changed the zone to null for 0/2, nothing.  I deleted the mapped ips and policies as well (need to do that to unset)

So I went in and reset the device, when you use the wizard, it will only let you use port 0/0 0/1 or 0/2 for the initial trust / untrust scenario.

Does anyone have a quick reference on how to switch the trust 0/0 to 0/9 and the untrust 0/2 to 0/8?

Thanks for any help.
Qlemo"Batchelor", Developer and EE Topic AdvisorCommented:
You should have no issues adding interfaces to zones (i.e. changing the zone in the Interface setup). That the wizard does not allow to select the GB ports is, well, interesting, but no obstacle.
When you say "did not work", what do you mean exactly?
Kacey FernSystem EngineerAuthor Commented:
I did a factory reset.  I got the Internet working on port e0/2.  Then I setup a second public IP on e0/8 and set the zone to untrust.
Unplugged the cable from 02 and plugged it into 08, Internet did not work.
No policies were configured.
Qlemo"Batchelor", Developer and EE Topic AdvisorCommented:
Default policy is "deny-all", so this cannot be correct. You need at least one policy Trust to Untrust to allow traffic.
Kacey FernSystem EngineerAuthor Commented:
right.. That was the only one.  Sorry figured it was useless info since I said I was on Internet.. my bad.
Qlemo"Batchelor", Developer and EE Topic AdvisorCommented:
First things to check are:
a) is eth0/8 working? Speed etc. detected correct?
b) enable traffic logging (at session beginning) in the policy, create some traffic, and then look into the log of that policy to check if it has been applied, and NAT works - you should see the public IPs in the "translated" columns).

Also check if eth0/8 is in the correct interface mode (Route, not NAT). The Trust interface needs to be in NAT mode. (To be precise, it should not matter for Trust <-> Untrust, as implicit NAT rules apply, but better to be sure).
Kacey FernSystem EngineerAuthor Commented:
Going in tomorrow at 11am to try and get this working again.  Thanks for the info.  Will update as I have info.
Kacey FernSystem EngineerAuthor Commented:
Thank you Qlemo for pointing me in the correct direction.

1. The end result was to download the config I already had.  
2. Edit the config and change anything that said e0\0 and make it e0\8 and anything that said e0\2 and make it e0\9.
3. Change the upload ports on the vpn in the config file to e0\9
3. replace the config hit apply.

All came back up within two minutes and worked perfectly.  I left the old cables and new cables in the ports, 4 total.. while I did this.  I noticed on the new Juniper firewalls that if the cable is not connected to the router, then the config does not take sometimes.

Credit Sanga Collins, another expert for this idea.  I have another question regarding this.

My best-
Qlemo"Batchelor", Developer and EE Topic AdvisorCommented:
I'm dejected that I didn't come up with that simple search-and-replace approach :/. That's the reason I was only monitoring the other question ;-).
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.