Dear All
I have a pair of SRX240H's in an Active/Active cluster. We are working on a project where there will be about 350 vitual servers accessing resources across the global but using these SRX's as there internet gateway, at present we only have 110 servers switched on. We started with about 40 servers accessing the Internet and no problems were reported, over the last week we have increased the number of servers from 40 to 110, as soon as we had 110 servers running the throughput of the firewall's completely fell away. For example with all but 1 server switched off transfering a 900MB file from one zone to another using windows file copy we get around 25MBytes a second, turn all the servers back on and this drops down to 3-5MBytes a second if we are lucky.
I have looked at the all the interfaces and they are all showing Full-Duplex 1000MB. Look at the stats for the interfaces and I see a large number of input error's but a detail look at the interfaces shows this is due to "Policed discard". When the servers are switched off there is about 24000 sessions, turn the servers on and this jumps upto 27000. If I check the stats on the PFE it shows about 75000 pps.
The tcp-mss is set to 1450 and all interfaces execpt FAB0 and FAB1 are set to 1514 MTU.
I have seen some post from others forum's suggest setting "set security flow tcp-session no-sequence-check" but I have not been in a position to test this change.
Also would be the recommended tcp-mss size as juniper report this can also be an issue if set to large.
If anyone has seen this before or has any idea's your help would be grate.
Richard