Re: [nn] Netscreen 25 Internal Network Connection Slow

To:	Gaile Loomis <gloomis@tiltonschool.org>
Subject:	Re: [nn] Netscreen 25 Internal Network Connection Slow
From:	dh <rugby@secureyournet.ca>
Date:	Mon, 04 Dec 2006 08:07:15 -0500
Cc:	nn@qorbit.net
Delivered-to:	sp-com-lists@consult.net
Delivered-to:	ns-list2@consult.net
Delivered-to:	nn@qorbit.net
In-reply-to:	<8B7ED069-8644-4735-9F8F-2FEDD359ED10@mail.secureyournet.ca>
List-archive:	<http://www.qorbit.net/nn>
List-help:	<mailto:nn-request@qorbit.net?subject=help>
List-id:	"Netscreen mailing list for netscreen admins." <nn.qorbit.net>
List-post:	<mailto:nn@qorbit.net>
List-subscribe:	<http://qorbit.net/mailman/listinfo/nn>, <mailto:nn-request@qorbit.net?subject=subscribe>
List-unsubscribe:	<http://qorbit.net/mailman/listinfo/nn>, <mailto:nn-request@qorbit.net?subject=unsubscribe>
References:	<8B7ED069-8644-4735-9F8F-2FEDD359ED10@mail.secureyournet.ca>
Sender:	nn-bounces@qorbit.net
User-agent:	Thunderbird 1.5.0.8 (Windows/20061025)

Depending on the version of ScreenOS you are running on the box, you may 
be limited to 8000 concurrent sessions.  Maxing out the sessions would 
create the symptoms you describe.  I'd suggest loading a current version 
of ScreenOS, 5.3 or 5.4 which allow up to 32,000 concurrent sessions.  
Juniper support still recommends 5.3r5 as the most stable, but I have 
had no issues with 5.4r2.

It is also possible that you're hitting throughput limitations on the 
device, the NetScreen 25 is limited to 100 Mbps of firewall throughput.  
That is for all flows, across all interfaces. 

That said, you may also have a port speed/duplex mismatch between the 
switch and the firewall. Try hard coding the port settings too 100/full 
on your switch and do the same on the NS.  You do this on the 
command-line with the following command, where "X" is the interface number:
set int ethernetX phy full 100mb

If you're still having problems, contact Juniper TAC, they're a whole 
lot better than NetScreen TAC was before the acquisition...

/dh

Gaile Loomis wrote:
> Greetings-
> students in their dorms are on a separate student vlan.  They connect
> to their email via a link off from our external website.  This is the
> same link we use to connect to GroupWise web access from an external
> IP-which is working fine and very fast (ie when we are traveling or at
> home.)  So in a nutshell, their request goes out the Netscreen,  to the
> internet, comes back in from a link to webaccess.
>
> 172.21.x.x student IP on student vlan (L3 routing on HP5308)
> 192.x.x.x netscreen
> 207.x.x.x external IP (T1)
> 206.x.x.x link for webaccess (IP from same T1 provider)
> 192.x.x.x netscreen
> 206.x.x.x GWIA (GroupWise Internet Agent)
>
> This is so slow most of the students time out before they are given a
> chance to authenticate.  Depending on the time of day, it has
> traditionally been a bit slow to log in (20 seconds or so) but since the
> netscreen install it is unacceptable.  The internet connection in
> general is much slower for them as well.  Any advice would be greatly
> appreciated-I have updated all of my dns entries on my servers.  
> Thanks!
> Gaile
> _______________________________________________
> nn mailing list
> nn@qorbit.net
> http://qorbit.net/mailman/listinfo/nn
>
>
>   

_______________________________________________
nn mailing list
nn@qorbit.net
http://qorbit.net/mailman/listinfo/nn

<Prev in Thread]	Current Thread	[Next in Thread>
[nn] Netscreen 25 Internal Network Connection Slow, Gaile Loomis Re: [nn] Netscreen 25 Internal Network Connection Slow, Jeffrey Post Re: [nn] Netscreen 25 Internal Network Connection Slow, dh <=

Previous by Date:	Re: [nn] Netscreen 25 Internal Network Connection Slow, Jeffrey Post
Next by Date:	Re: [nn] VPN Monitoring, Michael Jewett
Previous by Thread:	Re: [nn] Netscreen 25 Internal Network Connection Slow, Jeffrey Post
Next by Thread:	[nn] OSCP HTTP Request, fw@doehni.dyndns.org
Indexes:	[Date] [Thread] [Top] [All Lists]