Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] Intermittent drop seen in traffic using Advanced Services features after installing a new license

0

0

Article ID: KB34587 KB Last Updated: 31 Dec 2019Version: 1.0
Summary:

​Advanced Services features like UTM, IDP, AppSecure etc. require licenses to operate. As the licenses unlock these features, they also reserve data plane memory for these features.

On branch SRX devices (SRX300, SRX320, SRX340, SRX345, SRX550M) and SRX1400,  a reboot is required after the license installation:

> request system reboot

On high-end devices (SRX3400, SRX3600, SRX4600, SRX5600 and SRX5800 ), a manual configuration adjustment is required before rebooting:

> edit
# set security forwarding-process application-services enable-utm-memory
# commit and-quit

> request system reboot

SRX1500, SRX4100 and SRX4200 devices have enough memory for UTM. These devices do not require any command for memory allocation.

For details, refer to ​Licenses Required for UTM Features.


This article shows how to verify the data-plane memory profile has been reserved to cater the requirement of Advanced Security features especially UTM.

 

Symptoms:

If the data plane memory is not reserved for the Advanced Services, users will experience intermittent drops and latency during peak traffic hours.

 

Cause:

In absence of reserved data-plane memory, the device might run out of the jbuf memory buffers. This leads to intermittent drops and latency for the traffic that needs memory for Advanced service processing.

 

Solution:

1. Check the data plane memory profile on the branch devices with the command:

root> request pfe execute command "show octeon memory" target fwdd
 

2. Review the output to determine if the Advanced Services Memory profile is enabled. Refer to the two examples:
 

Example 1 (Not enabled on SRX320 device):

  • When the Advanced Services Memory Profile is NOT enabled, you will notice "NO-ADV-SVCS" in the profile. Also the total jbuf available will be around 7000 (6930 + 70).
root> request pfe execute command "show octeon memory" target fwdd
================ master ================
SENT: Ukern command: show octeon memory

Memory Distribution [Profile SRX3XX-4G-NO-ADV-SVCS, Memory 0x100000000]
SEG                      V-BASE              P-BASE             SIZE  VISIBLITY
----                   --------            --------           ------   --------
IDP-Detector         0x40000000  0x00000000a0000000         16777216 Shared
Packet-Buffer        0x41000000  0x00000000a1000000         65405952 Shared
JDPI_DECODER         0x44e60400  0x00000000a4e60400         16777216 Shared
Host-Mbuf            0x45e60400  0x00000000a5e60400         52562432 Shared
Services             0x49080e00  0x00000000a9080e00        130023424 Shared
Services Control     0x49080e00  0x00000000a9080e00          2097152 Shared
PME-Buffer-SYS       0x50c80e00  0x00000000b0c80e00                0 Shared
3G USB Driver        0x50c80e00  0x00000000b0c80e00                0 Shared
HWA FPGA             0x50c80e00  0x00000000b0c80e00                0 Shared
Private-Heap         0x02000000  0x00000000e2000000        369098752 Pvt
Kernel-Heap          0x50c80e00  0x00000000b0c80e00        758641152 Shared

root> request pfe execute command "show usp jsf jbuf_pool stats" target fwdd |match "total|pool id"
pool id :1
        total jbuf                           6930
pool id :2
        total jbuf                             70

 

Example 2 (Enabled on SRX320 device):

  • When the devices have been rebooted after the installation of licenses, the output will display "​ADV-SVCS" . Also the total jbuf available will be around 80000 (79200 + 800)​.
root> request pfe execute command "show octeon memory" target fwdd    
================ master ================
SENT: Ukern command: show octeon memory
Memory Distribution [Profile SRX3XX-4G-ADV-SVCS, Memory 0x100000000]
SEG                      V-BASE              P-BASE             SIZE  VISIBLITY
----                   --------            --------           ------   --------
IDP-Detector         0x60000000  0x0000000098000000         16777216 Shared    
Packet-Buffer        0x5c000000  0x0000000094000000         65405952 Shared    
JDPI_DECODER         0x7e800000  0x00000000b6800000         25165824 Shared    
Host-Mbuf            0x61000000  0x0000000099000000        191962112 Shared    
Services             0x6c711c00  0x00000000a4711c00        181403648 Shared    
Services Control     0x6c711c00  0x00000000a4711c00          4194304 Shared    
PME-Buffer-SYS       0x40000000  0x00000000f8000000                0 Pvt       
3G USB Driver        0x40000000  0x00000000f8000000                0 Pvt       
HWA FPGA             0x77411c00  0x00000000af411c00                0 Shared    
Global-Heap          0x77411c00  0x00000000af411c00        121562112 Shared    
Kernel-Heap          0x02000000  0x00000000ba000000       1040187392 Pvt 

root> request pfe execute command "show usp jsf jbuf_pool stats" target fwdd |match "total|pool id"
pool id :1
        total jbuf                           79200
pool id :2
        total jbuf                             800
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search