Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Throughput Issues when URL Filtering is Enabled

0

0

Article ID: KB7811 KB Last Updated: 30 Jun 2010Version: 3.0
Summary:

TCP Reassembly for ALG is enabled, and integrated URL via Surf Control is enabled. 

Symptoms:
Effective bandwidth with URL filtering enabled is 1/3 slower, compared to when URL filtering is disabled. 
Solution:

When measuring throughput differences with or without URL Filtering, determine if there is any TCP retransmissions or TCP Out of Order packets.  The best way to determine this is to take a sniffer capture on the untrust zone, analyze the output, and search for any occurrences of TCP retransmissions or TCP Out of Order packets. 

If there are TCP Retransmissions or TCP Out of Order packets, this has an impact on URL filtering feature.  The URL filtering feature has to process the packets in order.  It needs to wait for any lost packet retransmissions before processing any other queued out of order packets.

Additionally, URL filtering mechanism acts like a TCP Proxy.  TCP proxy is handling the TCP packet, and takes care of the out of order packet reordering and retransmission.  The TCP Proxy behaves like a server to the client, and also behaves like a client to the server.  The PC client will ack every packet instead of a delayed ack for every other packet in normal TCP stack implementation. 

The TCP proxy will ack every data packet with a window size = full window size - data packet length.  When the round trip latency is longer than (full window size/data packet length)*packet process time, the server has to wait for sliding window to reopen before sending more packets.

If you compare the window size in the ack packet with, and without URL filtering, the server waits for the sliding window reopen more frequently with URL filtering enabled than wit URL filtering disabled.  Therefore, the measured Internet connection speed is faster without URL filtering enabled as opposed to having URL filtering enabled.

The drop in bandwidth throughput tests is due to difference between one packet length window size with URL disabled compared to the window size with URL enabled.  This is a limitation with the TCP Proxy implementation.

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search