Advanced Services features like UTM, IDP, AppSecure etc. require licenses to operate. As the licenses unlock these features, they also reserve data plane memory for these features.
On branch SRX devices (SRX300, SRX320, SRX340, SRX345, SRX550M) and SRX1400, a reboot is required after the license installation:
> request system reboot
On high-end devices (SRX3400, SRX3600, SRX4600, SRX5600 and SRX5800 ), a manual configuration adjustment is required before rebooting:
> edit
# set security forwarding-process application-services enable-utm-memory
# commit and-quit
> request system reboot
SRX1500, SRX4100 and SRX4200 devices have enough memory for UTM. These devices do not require any command for memory allocation.
For details, refer to Licenses Required for UTM Features.
This article shows how to verify the data-plane memory profile has been reserved to cater the requirement of Advanced Security features especially UTM.
If the data plane memory is not reserved for the Advanced Services, users will experience intermittent drops and latency during peak traffic hours.
In absence of reserved data-plane memory, the device might run out of the jbuf memory buffers. This leads to intermittent drops and latency for the traffic that needs memory for Advanced service processing.
1. Check the data plane memory profile on the branch devices with the command:
root> request pfe execute command "show octeon memory" target fwdd
2. Review the output to determine if the Advanced Services Memory profile is enabled. Refer to the two examples:
Example 1 (Not enabled on SRX320 device):
- When the Advanced Services Memory Profile is NOT enabled, you will notice "NO-ADV-SVCS" in the profile. Also the total jbuf available will be around 7000 (6930 + 70).
root> request pfe execute command "show octeon memory" target fwdd
================ master ================
SENT: Ukern command: show octeon memory
Memory Distribution [Profile SRX3XX-4G-NO-ADV-SVCS, Memory 0x100000000]
SEG V-BASE P-BASE SIZE VISIBLITY
---- -------- -------- ------ --------
IDP-Detector 0x40000000 0x00000000a0000000 16777216 Shared
Packet-Buffer 0x41000000 0x00000000a1000000 65405952 Shared
JDPI_DECODER 0x44e60400 0x00000000a4e60400 16777216 Shared
Host-Mbuf 0x45e60400 0x00000000a5e60400 52562432 Shared
Services 0x49080e00 0x00000000a9080e00 130023424 Shared
Services Control 0x49080e00 0x00000000a9080e00 2097152 Shared
PME-Buffer-SYS 0x50c80e00 0x00000000b0c80e00 0 Shared
3G USB Driver 0x50c80e00 0x00000000b0c80e00 0 Shared
HWA FPGA 0x50c80e00 0x00000000b0c80e00 0 Shared
Private-Heap 0x02000000 0x00000000e2000000 369098752 Pvt
Kernel-Heap 0x50c80e00 0x00000000b0c80e00 758641152 Shared
root> request pfe execute command "show usp jsf jbuf_pool stats" target fwdd |match "total|pool id"
pool id :1
total jbuf 6930
pool id :2
total jbuf 70
Example 2 (Enabled on SRX320 device):
- When the devices have been rebooted after the installation of licenses, the output will display "ADV-SVCS" . Also the total jbuf available will be around 80000 (79200 + 800).
root> request pfe execute command "show octeon memory" target fwdd
================ master ================
SENT: Ukern command: show octeon memory
Memory Distribution [Profile SRX3XX-4G-ADV-SVCS, Memory 0x100000000]
SEG V-BASE P-BASE SIZE VISIBLITY
---- -------- -------- ------ --------
IDP-Detector 0x60000000 0x0000000098000000 16777216 Shared
Packet-Buffer 0x5c000000 0x0000000094000000 65405952 Shared
JDPI_DECODER 0x7e800000 0x00000000b6800000 25165824 Shared
Host-Mbuf 0x61000000 0x0000000099000000 191962112 Shared
Services 0x6c711c00 0x00000000a4711c00 181403648 Shared
Services Control 0x6c711c00 0x00000000a4711c00 4194304 Shared
PME-Buffer-SYS 0x40000000 0x00000000f8000000 0 Pvt
3G USB Driver 0x40000000 0x00000000f8000000 0 Pvt
HWA FPGA 0x77411c00 0x00000000af411c00 0 Shared
Global-Heap 0x77411c00 0x00000000af411c00 121562112 Shared
Kernel-Heap 0x02000000 0x00000000ba000000 1040187392 Pvt
root> request pfe execute command "show usp jsf jbuf_pool stats" target fwdd |match "total|pool id"
pool id :1
total jbuf 79200
pool id :2
total jbuf 800