[prev in list] [next in list] [prev in thread] [next in thread]
List: juniper-nsp
Subject: [j-nsp] SRX 3400 IPSec Performance question/advice needed
From: The Hawk via juniper-nsp <juniper-nsp () puck ! nether ! net>
Date: 2023-02-24 17:11:42
Message-ID: SN6PR04MB51662BC21485CA40120BB49DB4A89 () SN6PR04MB5166 ! namprd04 ! prod ! outlook ! com
[Download RAW message or body]
Hello Community,
I was hoping to get some advice on something.
I'm doing some tests on an old SRX3400 cluster in our lab and I'm noticing that IPSec \
performance on the SRX3400 is horrible.
As per documentation it talks about 8G - 10G of IPSec performance.
I've done tests with 3des-md5, 3des-sha1, aes128-sha1,aes256-sha256.
It seems that aes128-sha1, aes256-sha256 perform best, but even in those \
circumstances the performance is minimal (approximately 150Mbps on the download and \
about 350Mbps on the upload).
I'm doing this test between 2 SRX3400's, I've also done it from a Fortigate 60F to \
the SRX 3400 and both yield the same results.
At first I thought that the SPU wasn't being engaged and that the RE is trying to \
handle the IPSec but I checked and it seems that there is traffic through the SPU \
when IPSec traffic is pushed through. I've also enabled ipsec acceleration on the \
flow (without rebooting the chassis) and it made no difference (not sure if reboot is \
required).
Any suggestions that one can offer me? I speculate that I'm missing some \
"optimization" command that should engage the ASIC better.
PS. I'm running the latest version of the SRX 12.3x48 code.
PS2. I am only running 1x SPU in the chassis and I was thinking of maybe installing \
additional SPUs to see if it helps.. (but based on documentation, a single SPU should \
handle about 8Gbps of throughput... while adding a second should increase that \
further). TBH, I'm not looking to do more than 1G... but I wanted to see 1G \
performance at least.
Any help/suggestions are greatly appreciated.
Thank you!
Adrian
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic