Re: Why traffic is very slow over ipsec

Hi all

 msheikoh, I am not sure what your idea is about checking Replay errors? But I did for you.

After clearning sec ipsec statistic, during the first 4 hours, two times I checked the replay error with sh sec ipsec statistics, I couldn't see any replay errors. please see the following 

>show security ipsec statistics
ESP Statistics:
   Encrypted bytes: 258828544
    Decrypted bytes: 323126770
    Encrypted packets: 842164
    Decrypted packets: 800696
AH Statistics:
    Input bytes: 0
    Output bytes: 0
    Input packets: 0
    Output packets: 0
Errors:
AH authentication failures: 0, Replay errors: 0
ESP authentication failures: 0, ESP decryption failures: 0
Bad headers: 0, Bad trailers: 0

My aim here is to find a SIGN/EVIDENCE from traceoptions or firewal filter's logs that says fregmentation is happening.

Recently I've done the following traceoptions on the srx box. I couldn't see any sign that says fragmentation is happening. But only saw the the following things in red color. please see.

Why can't we see a fragmentation is hapening to IPSec traffic as current mss configuration is ONLY "set security flow tcp-mss all-tcp mss 1450" as fragment packet's number from the sh sec flow statistic has been huge rapidly increasing. 

>show security flow statistics
      Current sessions: 225
     Packets forwarded: 14444351807
     Packets dropped: 162144762
     Fragment packets: 864461746

1-) Is the capturing the packet with traceoptions's location on SRX correct or it must be on Ex switch location for capturing?

2-) If we can't see fragmentation on the traceoptions files from the flow module on the srx, is the fragmentation happening before packets go the flow module? If so, where is it happening? on Physical interface? Which tool should be used for? traceoptions, firewal filter?

..

....

Jun 12 14:10:11 14:10:11.054473:CID-0:RTre-frag not needed: ipsize: 783, mtu: 9188, nsp2->pmtu: 9188

Jun 12 14:10:11 14:10:11.085986:CID-0:RTre-frag not needed: ipsize: 844, mtu: 1422, nsp2->pmtu: 1422

....

........

Set security flow traceoptions file Fregmentation_Check files 3 size 5m world-readable
Set security flow traceoptions flag basic-datapath
Set security flow traceoptions packet-filter packet-filter1 source-prefix 10.108.103.246
Set security flow traceoptions packet-filter packet-filter2 destination-prefix 10.108.103.246

Note: (all traffic routed to the ip address of 10.108.103.246 on SRX before goes to IPSec tunnel)

Thx.

Ar