Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] Pass-through traffic processing in NS5000 and ISG Series

0

0

Article ID: KB14990 KB Last Updated: 04 Mar 2015Version: 5.0
Summary:

This article explains how the NS5000 and ISG Series process transit traffic, whether by CPU or accelerated by ASIC, based on the different IP protocols.

Symptoms:

The most common IP protocols are accelerated by the ASIC chip in the NS5000 and ISG series; however there are certain conditions in which transit traffic is not accelerated by the ASIC and just processed by the CPU. As a consequence, high CPU can be observed if the traffic load is high.

Cause:

Solution:

The table below lists the different types of protocols and how they are processed in NS5000 and ISG series for the different ScreenOS versions. The information is true for non-ALG traffic in NS5000 and ISG platforms unless explicitly specified. ALG traffic will be processed by CPU.

Protocol  Number

Protocol  Name

ScreenOS  6.2 & later
ScreenOS  6.1 ScreenOS  6.0 ScreenOS  5.4 ScreenOS  5.3 ScreenOS  5.2 ScreenOS  5.1 ScreenOS  5.0
1 ICMP CPU CPU CPU CPU CPU CPU CPU CPU
4 IPIP** ASIC ASIC ASIC ASIC CPU CPU CPU CPU
6 TCP ASIC ASIC ASIC ASIC ASIC ASIC ASIC ASIC
17 UDP ASIC ASIC ASIC ASIC ASIC ASIC ASIC ASIC
41 IPv6 PPU PPU PPU PPU1 PPU1 CPU CPU CPU
47 GRE2 ASIC ASIC ASIC ASIC3 ASIC3 ASIC ASIC ASIC
50 ESP4 ASIC ASIC ASIC ASIC3 ASIC3 ASIC3 ASIC3 ASIC3
51 AH PPU PPU PPU PPU3 PPU1 PPU1 PPU1 PPU3
115 L2TPv35 CPU CPU CPU CPU CPU CPU CPU CPU
132 SCTP CPU CPU CPU CPU CPU CPU CPU CPU

Legend:

PPU - Packet Processing Engine - a programmable entity in the ASIC chip - i.e., traffic processed by PPU is also processed in ASIC chip.
1 - Only supported in ISG series; for NS5000 it's CPU.
2 - If there is NAT for GRE pass-through traffic, it is processed by CPU.
3 - Processed by CPU if using 8G or 2GE24FE SPM modules in NS5000 series.
4 - ESP-NULL traffic is processed by PPU.
5 - L2TP version 2 uses UDP encapsulation, refer to UDP.
** - For NS5000 m1+8G/24fe and NS5000 M2+8G/24fe; IPIP traffic is handled in CPU only i.e for 5.4 as well.

Any IP protocol lower than 137 and not listed in table above is processed by CPU.
Any IP protocol higher than 137 is dropped by the firewall and logged as "unknown protocol". 
NATed "IP in IP (protocol number 4)" traffic is processed by CPU

For more information about high CPU, please refer to KB9453 - Troubleshooting High CPU on a firewall device.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search