topic Re: Performance Problem with PA 500 in General Topics

Performance Problem with PA 500

MemphisBrothers — Sat, 15 Feb 2014 19:18:13 GMT

I recently upgraded my bandwidth to fiber with my provider. They added a router in the mix that was not there. It has an external IP and and internal IP address. The old setup only had an external IP (which is the IP that was configured in my firewall natting rules.) My upload speed is around 90mb, but the download speed is not even 5mb. . We set all settings as the isp requested. 100mbps ad Full Duplex, on the firewall and switch. The path is. Fiber comes in to ISP Switch --> ISP Router --> Juniper Switch --> Firewall.

After trying everything we could think of I took the main PA500 offline and brought the HA1 online to take over. Speeds hit 75-80 mb both ways. This lasted a few hours until downloads started dragging again. I cleared the logs and speeds shot back up. We are able to isolate the problem in the firewall. What is causing my performance issues. The HA is configured exactly like the primary, which is still offline. All ideas are appreciated.

Re: Performance Problem with PA 500

HULK — Sat, 15 Feb 2014 20:47:56 GMT

Hello Sir,

Are you using any specific protocol to measure the speed or just using free tools, i.e. speedtest.net...?

The first step is to isolate where the performance issue is occurring due to:

Data Plane (DP) CPU

Packet Buffers

Session

Management Plane (MP)

Most handy command will be :PAN> > show system statistics session

> show running resource-monitor

a. Check the CPU load during the last 60 seconds. If any number is at or close to 100, then high CPU is likely the cause of the performance issue.

b. Check the "packet buffer" and "packet descriptor" sections. If any number is at or close to 100, then the issue is likely caused by running out of packet buffers.

c. Check the session section. If any number is close to or above 80, then the performance issue is most likely session related.

Few more commands:

> debug dataplane pool statistics

> show session info

Hope this helps.

Thanks

Re: Performance Problem with PA 500

MemphisBrothers — Sun, 16 Feb 2014 03:02:55 GMT

I am using a few different web sites to test speed, the same ones the ISP uses. You know how they are, We can see the router and are sending 100 mgs so it must be on your end.Event they care not seeing 100 mgs which is what the fiber is supposed to be hitting.. I will test the commands you submitted. After further measuring throughout today we are averaging 80-85. Is it possible something has stabilize?

Re: Performance Problem with PA 500

HULK — Sun, 16 Feb 2014 05:50:50 GMT

We need to check the firewall while the problem occurs, just to confirm if the PAN is causing the latency. Could you please analyze the ACC report during that time, anything looking abnormal..?

Thanks

Re: Performance Problem with PA 500

pulukas — Sun, 16 Feb 2014 22:36:33 GMT

I agree with Hulk that you will need to gather data when the issue is occurring. The top candidates for me would be cpu issues or resource exhaustion. These are checked with:

show running resource-monitor

debug dataplane pool statistics

On possible cause of these issues could be a threat or a ddos attack.

Another good test would be if you can get a laptop into that on the Juniper switch between the ISP router and the Palo Alto if an address is available. Then run the download test from here during the issue. This will eliminate the PA from the loop and do a test during the incident for possible outside influences or a transient ISP issue that they don't see because it is gone when they investigate but there during your problems.