SRX 5800

High End Juniper SRX 5800

When you buy a high end Juniper SRX (say a 5600 or a 5800),  you may miss the fact that the SRX-IOC-4XGE-XFP  line card with 4 10Gb ports can only do 10 Gigabit total throughput.  You probably bought these monster firewalls for a very specific use case.  Either:

  • A. Tons of sessions

OR

  • B. High throughput

OR

  • C. Both high session count and high throughput

If you did not plan appropriately in either case, you may find yourself in a very sticky situation.

It’s 3am.

Your phone chimes with your favorite themed text message alert.

You try to ignore it.

5 minutes later your phone rings in the same themed ring tone.

It’s the help desk.

Customers inside one of your data centers are experiencing an extra 250 – 500 milliseconds of unplanned latency.  On top of that, some connections are timing out altogether.   All of your monitoring tools show green.  Everything is up.  What thuh?

You login to the firewall pair that is inline to all of the latent connections and see something like this:

user@firewall> show security flow session summary | match "node|FPC|use"
node0:
--------------------------------------------------------------------------
Flow Sessions on FPC2 PIC1:
Sessions-in-use: 320968
Flow Sessions on FPC3 PIC0:
Sessions-in-use: 321308
Flow Sessions on FPC3 PIC1:
Sessions-in-use: 320134
Flow Sessions on FPC4 PIC0:
Sessions-in-use: 317292
Flow Sessions on FPC4 PIC1:
Sessions-in-use: 311775
Flow Sessions on FPC5 PIC0:
Sessions-in-use: 314601
Flow Sessions on FPC5 PIC1:
Sessions-in-use: 310625
node1:
--------------------------------------------------------------------------
Flow Sessions on FPC2 PIC1:
Sessions-in-use: 334975
Flow Sessions on FPC3 PIC0:
Sessions-in-use: 331942
Flow Sessions on FPC3 PIC1:
Sessions-in-use: 330681
Flow Sessions on FPC4 PIC0:
Sessions-in-use: 335326
Flow Sessions on FPC4 PIC1:
Sessions-in-use: 322139
Flow Sessions on FPC5 PIC0:
Sessions-in-use: 324847
Flow Sessions on FPC5 PIC1:
Sessions-in-use: 324141

Session count looks good.  These bad boys seem to be load balancing sessions across all SPCs appropriately and are well below the max session count.

So you take a look at your redundant ethernet interfaces.

user@firewall> show interfaces reth0 | match rate
Input rate : 5866756328 bps (710119 pps)
Output rate : 4866756328 bps (549580 pps)

user@firewall> show interfaces reth1 | match rate
Input rate : 4988112456 bps (587564 pps)
Output rate : 5988112456 bps (735202 pps)

NOW…. At first glance, you may look at these numbers and dismiss any potential issue.  They are after all 10Gb interfaces that operate in full duplex.  But look closely.  Your design used a single SRX-IOC-4XGE-XFP on each firewall.  This means that reth0 and reth1 are sharing 10Gb TOTAL capacity.

Uh Oh.  You may not typically have 10Gb cards laying around.  But if you do, are you going to come up with the right solution at 3am?  You may want to look elsewhere for a solution.  How about police the traffic as it enters the firewall like you would on any of your MXs or other routers.  Check out this SRX policing link.

Don’t want to police on the firewalls?  Try policing lower in the stack.  You have MX routers.  You have EX switches.  You can make this work.

You finally rate limit your main offenders and the firewalls are back to a somewhat healthy state.

user@firewall> show interfaces reth0 | match rate
Input rate : 5866756328 bps (710119 pps)
Output rate : 1804087216 bps (549580 pps)

user@firewall> show interfaces reth1 | match rate
Input rate : 2048110960 bps (587564 pps)
Output rate : 5988112456 bps (735202 pps)

It’s now 4am and you head back to bed except you’re so wound up, you can’t get back to sleep so you start working on your plan to add bandwidth to your high end SRXs.  Let’s talk link aggregation.  How should you do it?  There are some options.

I’ll follow up this post next week with a link aggregation howto.

Leave a Reply