Some useful commands for determining traffic flow issues on a Juniper SRX (most commands probably apply to other JunOS devices but YMMV):
Firstly a look at some general system information. I've highlighted some useful fields:
SRX> show chassis routing-engine
Routing Engine status:
Temperature 36 degrees C / 96 degrees F
CPU temperature 36 degrees C / 96 degrees F
Total memory 2048 MB Max 1167 MB used ( 57 percent)
Control plane memory 1104 MB Max 475 MB used ( 43 percent)
Data plane memory 944 MB Max 689 MB used ( 73 percent)
CPU utilization:
User 5 percent
Background 0 percent
Kernel 2 percent
Interrupt 0 percent
Idle 93 percent
Model RE-SRXSME-SRE6
Serial ID NOTFORYOU
Start time 2013-02-21 14:27:54 UTC
Uptime 18 days, 4 minutes, 21 seconds
Last reboot reason 0x200:normal shutdown
Load averages: 1 minute 5 minute 15 minute
0.22 0.10 0.08
One thing I usually look at is the interface statistics screen. Your PPS (Packets Per Second) can give you an indication of how busy an interface is:
SRX> monitor interface traffic
Here are some useful global traffic stats. This firewall is often under maximum throughput load hence a large number of dropped packets!
SRX> show security flow statistics
Current sessions: 937
Packets forwarded: 1988275
Packets dropped: 19483010
Fragment packets: 29
This command allows you to see a breakdown of your session usage (and the maximum number of supported sessions)
SRX> show security flow session summary
Unicast-sessions: 950
Multicast-sessions: 0
Failed-sessions: 0
Sessions-in-use: 1017
Valid sessions: 948
Pending sessions: 0
Invalidated sessions: 69
Sessions in other states: 0
Maximum-sessions: 524288
The next command allows you to see your active session numbers over the last 60 seconds, e.g. 0 seconds ago there were 580 active sessions. You can use this to look for any spikes in usage.
SRX> show security monitoring performance session
fpc 0 pic 0
Last 60 seconds:
0: 580 1: 617 2: 580 3: 555 4: 529 5: 606
6: 602 7: 661 8: 626 9: 610 10: 570 11: 625
12: 594 13: 613 14: 576 15: 601 16: 581 17: 626
18: 588 19: 626 20: 582 21: 625 22: 596 23: 603
24: 568 25: 633 26: 608 27: 703 28: 642 29: 633
30: 592 31: 617 32: 597 33: 623 34: 593 35: 645
36: 608 37: 677 38: 640 39: 630 40: 587 41: 608
42: 597 43: 612 44: 598 45: 621 46: 586 47: 634
48: 616 49: 633 50: 602 51: 653 52: 622 53: 638
54: 607 55: 619 56: 601 57: 653 58: 615 59: 623
You can also do the same for firewall SPU utilisation (Service Processing Units - These processors perform the majority of the packet processing on the firewall). e.g. 43 seconds ago the SPU was at 86% utilisation
SRX> show security monitoring performance spu
fpc 0 pic 0
Last 60 seconds:
0: 68 1: 69 2: 70 3: 67 4: 66 5: 67
6: 69 7: 68 8: 64 9: 70 10: 66 11: 68
12: 70 13: 69 14: 71 15: 65 16: 76 17: 79
18: 70 19: 73 20: 70 21: 75 22: 74 23: 75
24: 72 25: 68 26: 77 27: 70 28: 80 29: 80
30: 87 31: 85 32: 86 33: 85 34: 83 35: 85
36: 87 37: 85 38: 81 39: 76 40: 79 41: 82
42: 82 43: 86 44: 85 45: 84 46: 82 47: 79
48: 70 49: 70 50: 69 51: 71 52: 68 53: 68
54: 69 55: 68 56: 71 57: 68 58: 68 59: 70
This command shows some utilisation stats for the Forwarding process on the firewall (FWDD)
SRX> show chassis forwarding
FWDD status:
State Online
Microkernel CPU utilization 7 percent
Real-time threads CPU utilization 34 percent
Heap utilization 73 percent
Buffer utilization 88 percent
Uptime: 14 days, 20 hours, 28 minutes, 50 seconds
ALGs (Application Layer Gateways) can have a significant performance impact as well as possibly introducing unexpected behaviour with the particular protocol they are examining. Check whether they are enabled using the command below. More information on ALGs here:
http://www.juniper.net/techpubs/en_US/junos12.1/topics/concept/alg-security-overview.html
SRX> show security alg status
ALG Status :
DNS : Enabled
FTP : Disabled
H323 : Enabled
MGCP : Enabled
MSRPC : Enabled
PPTP : Enabled
RSH : Enabled
RTSP : Enabled
SCCP : Enabled
SIP : Enabled
SQL : Enabled
SUNRPC : Enabled
TALK : Enabled
TFTP : Disabled
IKE-ESP : Enabled
Sometimes you need a packet capture to really be able to see what's going on.
Most of the time you'll want to capture the traffic in a file:
SRX# set security flow traceoptions file file-name
Set a maximum file size according to your needs with this command:
SRX# set security flow traceoptions file size ?
Possible completions:
<size> Maximum trace file size (10240..1073741824)
You can chose what types of packet you want to capture with this command, "basic-datapath" is recommended for most flow captures.
SRX# set security flow traceoptions flag [all/basic-datapath/packet-drops]
Use a filter to reduce the amount of traffic captured:
SRX# set security flow traceoptions packet-filter f1 source-prefix 172.16.0.0/12
Once you have issued a 'commit' the traffic capture will begin and your output file can be found in /var/log ( you can use the command "show log filename" to view it) with output similar to that below:
Feb 26 11:47:02 11:46:58.483266:CID-0:RT:<10.140.150.160/24387->10.2.2.221/49535;6> matched filter matchfilter:
Feb 26 11:47:02 11:46:58.483290:CID-0:RT:packet [40] ipid = 42687, @41038f9c
Feb 26 11:47:02 11:46:58.483307:CID-0:RT:---- flow_process_pkt: (thd 9): flow_ctxt type 15, common flag 0x0, mbuf 0x41038d80, rtbl_idx = 0
If you would like to view traffic in real-time on the console you can use the monitor command as below, however this will only show you traffic destined for or originating from the firewall itself, i.e. you cannot use that command to see traffic passing though the firewall.
SRX> monitor traffic interface ge-/2/0/0
verbose output suppressed, use <detail> or <extensive> for full protocol decode
Address resolution is ON. Use <no-resolve> to avoid any reverse lookup delay.
Address resolution timeout is 4s.
Listening on ge-2/0/0, capture size 96 bytes
10:36:05.383718 Out LACPv1, length 60
10:36:05.583595 In LACPv1, length 60
10:36:06.386069 Out LACPv1, length 60