Support Support Downloads Knowledge Base Service Request Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] High CPU flow with SMB traffic

0

0

Article ID: KB25968 KB Last Updated: 03 Oct 2012Version: 1.0
Summary:
This article describes the issue of CPU flow being high with SMB traffic.
Symptoms:
It was reported (and also seen in the lab) that during single SMB file transfer, the CPU flow being as high as 90%. The Client PC is using the Odyssey Access Client (Infranet enforcer) to access the SMB file share server.  In the output of fprofile, the majority of the traffic is for the file transfer.

Lab setup:
Client (1.1.1.2)------------1.1.1.1-FW(SSG)-172.16.1.1------------192.168.1.2 server
To initiate traffic to the SMB server, the client uses the 172.16.1.1 virtual adapter IP address as the source IP address:

  • 192.168.1.2 is the server.

  • 172.16.1.1 is the client.

The OAC creates a IPsec tunnel to the SSG firewall and then it is clear-text traffic between the SSG firewall and SMB server. The concern here is that just one file causes the CPU usage to be more than 90%.

The following output is for a file download from the server to the client:
Id   Type   Protocol   Source        Destination      Sport   Dport   Time    Percentage
1    ip     0x06       192.168.1.2   172.16.1.1       445     53787   5993586 74.21%
2    ip     0x11       1.1.1.2       1.1.1.1          64566   4500    2653431 21.26%
JLAB-> get per cpu all detail
Average System Utilization: 2% (flow 8 task 1)
Last 60 seconds:
59: 87(96 1)*** 58: 87(97 0)*** 57: 86(95 1)*** 56: 87(97 0)***
55: 87(96 1)*** 54: 86(94 2)*** 53: 87(97 0)*** 52: 86(95 1)***
The same setup, when used with the IPsec client instead of OAC, causes CPU usage in the range of 40-50%.
Cause:
The OAC has a higher transmission rate, when compared to an IPsec client; so it will send higher number of packets to the firewall. In the vector output of fprofile from the lab, with OAC, the firewall handles about 9600 packets per second; whereas for the IPsec client, it is about 3481 packets per second.
Solution:
This performance difference is expected.

Note: This behavior is not observed in ASIC based devices, as the session is handled by hardware.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Security Alerts and Vulnerabilities

Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search