Professional Documents
Culture Documents
Troubleshooting Latency Issues
Troubleshooting Latency Issues
Troubleshooting Latency Issues
By
ANAND SINGH
• Transmission Delay
• Misconfiguration
>how the speed test is performed, proper tests like FTP/HTTP transfer and
tools like iperf should be used to test the bandwidth.
*Note:General notation for a connection are in terms of bits/second, and
transfer rates are considered in Bytes/Second. For example 100Mbps
IDEALLY should give 12.5 MBps transfer rate
ICMP:It’s a low level protocol and different devices may process it on low
priority. For example, following KB describes low ICMP response times for
Juniper Devices:
https://kb.juniper.net/InfoCenter/
index?page=content&id=KB28157&actp=search
• Which protocol causes high latency, ICMP, UDP TCP. Latency with TCP is
common, if UDP & ICMP are also affected, the network is completely
degraded
• Interface errors
>show interface extensive | match error
• Traffic statistics
>show system statistics ip | match drop
*Outputs taken multiple times to check if the counters are incrementing abnormally high.
• Layered performance analysis can be referred to understand throughput limitation when these features are used:
For Branch:
https://junipernetworks.sharepoint.com/sites/nok/technology/security/DiscussionsListDocLibrary/bb6d99d7-
ac46-27b2-2cad-baed8e18e700/co1pr05mb39610531d247cd319e6d81ebe4a0@co1pr05mb396.namprd05.prod.
outlook.com/Branch_SRX_Series_Layered_Performance_Analysis.
pdf#search=layered%20performance%20analysis%20srx
For HE
https://scale.juniper.net/rbusnp/landing.php
NexGen;
https://junipernetworks.sharepoint.com/sites/nok/technology/security/DiscussionsListDocLibrary/0101d25c-77cc-
f16f-0883-5e504f42ab6d/21C966E1-ABF8-4336-BF76-02B7B03A2E51@juniper.net/X49-D60-D65-Branch-Mid-Range-
SRX_Performance.pdf
>It’s a standard requirement for optimum Layer 2 encapsulation and data transfer
>In case a device sends a packet with higher MTU than the receiving interface of a device has, the
packet will be dropped
>In case a device needs to a send a packet out an interface with lower MTU than the packet size, it
will be dropped
>Fragments are created on the sender (with lower MTU), but only be reassembled on the receiver
and no intermediate device can reassemble these packets
Flags:
DF bit: Don’t fragment, if set any intermediate device would not fragment the packet
MF bit: More Fragment, if set, it signifies that the packet is part of a
Fragment and more fragments are there after this. If unset,
it Signifies the last packet of fragment
Identifier: 2B identification value for a packet, remains same for all fragments
• In case of a lot of retransmissions in the captures, it means that the there is an issue with packet-drop in the network
• On the SRX, flow traceoptions can give us information if the packet drops on SRX, else we can only modify certain settings to
minimize its effects
• What would happen if there are packet drops in the network and a lot fragmentation is occurring??
• Fine tuning the tcp-options on the SRX can help us reduce these affects:
Run multiple ping from a PC from internal network to a remote PC (over VPN) or a website on internet. On the command prompt,
we need to set the Df-bit of the ICMP packets and different sizes, to get the maximum packet size that can be sent without being
fragmented (Once the echo request returns a reply in which it says fragmentation is required)
Eg:
Ping –f –l 1400
-f >to set Df-bit
-l>to specify packet length
The above specified size is MTU, as it specified packet length. Based on this, we can derive the MSS. For eg, in the above case
MSS=1400 –(TCP(20)+IP(20))==1360
• This is the optimum MSS value that would avoid fragmentation of the packet
Also, as IPSEC packets are encapsulated, we can also set, copy and clear df-bit in the outer header. Clearing df-bit is
the right option to allow fragmentation to take place as we know if device has lower MTU and we don’t allow
fragmentation, the packet will be dropped.
1.Interface configuration:
• The configuration on SRX should be matching to the connected interfaces on next hop device and should be full-
duplex, auto-negotiation, correct speed and MTU settings
2. Class of Service
• Check the configuration to see if this traffic is marked and traffic set in a queue which limits bandwidth
• Further interface queue statistics can be seen in case there are any drops
>show interfaces queue