I recently acquired Juniper SRX 210BE; until now I've been using Cisco ASA 5505 but I really want to switch over to Juniper world (big FreeBSD fan and all that).
I've got FTTC (fiber to the cabnet) internet feed that goes into a modem that changes the VDSL signal into ethernet and then from modem I connect Juniper with Ethernet cable and perform PPPoE auth on the Juniper.
Everything is working fine, but... I'm getting a major packet-loss according to both ping and traceroute. The really weird thing is that it seems like this PL is only on ICMP / traceroute messages and it's not permanent but rather intermittent. Eg. I'm going to get 10 packets lost then it's going to be fine for ~ 40 seconds and then another burst of PL.
The PL includes the first hop which is the Juniper itself! Please see below.
Host Loss% Snt Last Avg Best Wrst StDev
1. 10.17.17.62 29.3% 454 1.3 1.5 0.9 21.6 1.7
2. 109.224.191.50 13.2% 453 14.8 17.3 14.5 111.8 9.0
3. 149.6.9.170 12.8% 453 15.3 18.5 14.5 149.1 13.2
4. gi8-10.mag01.lhr01.atlas.cogentco.com 13.7% 453 15.4 25.8 14.6 218.9 33.1
5. te0-5-0-5.rcr21.lhr01.atlas.cogentco.com 12.6% 453 16.3 17.5 15.0 69.7 6.5
6. be2040.ccr41.lon13.atlas.cogentco.com 13.5% 453 16.7 17.9 16.0 72.4 4.9
7. be2194.ccr41.ams03.atlas.cogentco.com 12.6% 453 23.9 25.8 23.4 74.6 6.1
8. be2186.ccr41.ham01.atlas.cogentco.com 12.8% 453 33.7 35.6 32.5 94.6 8.3
9. be2147.rcr21.ber01.atlas.cogentco.com 13.7% 453 36.9 39.8 36.2 104.3 9.1
10. te3-1.ccr01.poz01.atlas.cogentco.com 13.2% 453 41.1 58.7 40.4 251.0 41.1
11. 149.6.28.22 13.2% 453 48.8 52.0 46.8 126.8 9.9
12. 81.210.127.195 13.5% 453 55.7 57.6 53.0 110.2 8.4
13. 83.238.250.131 38.9% 453 52.6 54.4 51.7 98.0 5.8
14. GdynR005RT01-RedaR001RT01.inetia.pl 17.9% 453 53.5 54.8 52.4 93.4 5.9
15. ???
16. rtr4.rtr-int-1.adm.wp-sa.pl 13.7% 453 55.5 57.3 54.7 120.9 6.8
17. www.wp.pl 13.5% 453 55.3 56.8 54.5 111.9 6.3
10.17.17.62 is Juniper's internal IP -- how weird, isn't it? The config is pretty much stock one with PPPoE auth configured as well as NAT. See below:
## Last commit: 2014-10-17 23:19:14 BST by root
version 12.1X44-D40.2;
system {
time-zone Europe/London;
root-authentication {
encrypted-password "xxx"; ## SECRET-DATA
}
name-server {
208.67.222.222;
208.67.220.220;
}
services {
ssh;
telnet;
xnm-clear-text;
web-management {
http {
interface vlan.16;
}
https {
system-generated-certificate;
interface vlan.16;
}
}
dhcp {
domain-name lon.domain;
pool 10.17.17.0/26 {
address-range low 10.17.17.32 high 10.17.17.55;
default-lease-time 7200;
name-server {
8.8.8.8;
8.8.4.4;
}
router {
10.17.17.62;
}
}
}
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
}
interfaces {
interface-range interfaces-trust {
member ge-0/0/1;
member fe-0/0/3;
member fe-0/0/4;
member fe-0/0/5;
member fe-0/0/6;
member ge-0/0/0;
member fe-0/0/2;
unit 0 {
family ethernet-switching;
}
}
ge-0/0/0 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/1 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
fe-0/0/2 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
fe-0/0/3 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
fe-0/0/4 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
fe-0/0/5 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
fe-0/0/6 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
fe-0/0/7 {
unit 0 {
encapsulation ppp-over-ether;
}
}
pp0 {
traceoptions {
flag all;
}
unit 0 {
point-to-point;
ppp-options {
chap {
default-chap-secret "xxx"; ## SECRET-DATA
local-name "xxx";
passive;
}
}
pppoe-options {
underlying-interface fe-0/0/7.0;
idle-timeout 0;
auto-reconnect 30;
client;
}
no-keepalives;
family inet {
negotiate-address;
}
}
}
vlan {
unit 16 {
family inet {
address 10.17.17.62/26;
}
}
}
}
routing-options {
static {
route 0.0.0.0/0 {
next-hop pp0.0;
metric 0;
}
}
}
protocols {
stp {
disable;
interface ge-0/0/0.0 {
disable;
}
interface ge-0/0/1.0 {
disable;
}
interface fe-0/0/2.0 {
disable;
}
interface fe-0/0/3.0 {
disable;
}
interface fe-0/0/4.0 {
disable;
}
interface fe-0/0/5.0 {
disable;
}
interface fe-0/0/6.0 {
disable;
}
}
}
security {
flow {
tcp-mss {
all-tcp {
mss 1380;
}
}
}
screen {
ids-option untrust-screen {
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
nat {
source {
rule-set trust-to-untrust {
from zone trust;
to zone untrust;
rule source-nat-rule {
match {
source-address 10.17.17.0/26;
}
then {
source-nat {
interface;
}
}
}
}
}
}
policies {
from-zone trust to-zone untrust {
policy trust-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
}
zones {
security-zone trust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
vlan.16 {
host-inbound-traffic {
system-services {
dhcp;
all;
}
}
}
fe-0/0/5.0;
}
}
security-zone untrust {
interfaces {
pp0.0 {
host-inbound-traffic {
system-services {
ssh;
ping;
traceroute;
}
}
}
}
}
}
}
vlans {
vlan-trust {
vlan-id 16;
l3-interface vlan.16;
}
}
When I run ping to anything from the Juniper itself, sometimes the ping is fine but at some points I'm getting PL as well. Even to my GW. If I switch back to Cisco ASA 5505 -- I'm getting literally no PL.
Does anyone have any suggestions what to look at? I tried different ports, wipe out config and try again etc. nothing helps. Given the other protocols work fine during the PL on ICMP / traceroute I suspect some kind of limiting kicking in, but how to find which one it is??? I'm pretty sure I disabled all screens etc...
Any advice, much appreciated.
EDIT: I'm running latest recommended software version -- 12.1X44-D40.2
root> show version
Model: srx210be
JUNOS Software Release [12.1X44-D40.2]
EDIT 2: I just made a test; I connected a Raspberry PI directly to the interface and started MTRing that. Below is the result:
Packets Pings
Host Loss% Snt Last Avg Best Wrst StDev
1. 10.17.17.62 47.3% 112 1.2 1.2 1.0 3.3 0.3
2. 10.50.50.2 0.0% 111 1.7 1.9 1.3 14.4 1.7
With 10.17.17.62 being the GW again.
After further tests, it seems like ICMP is not actually affected. It's just MTR which is using UDP for traceroute. However, I can't really track down what the hell is limiting / dropping that.
