Author Topic: IPv6 in IPv4 packet drives NS5400 CPU high  (Read 3060 times)

IPv6 in IPv4 packet drives NS5400 CPU high
« on: March 01, 2012, 03:33:09 PM »
Anybody heard of anything similar to this: we have recently experienced very high CPU usage on our NS5400 firewall caused by a single user(s). We have determined that the traffic that drives the cpu up is IPv6 traffic encapsulated in IPv4 packets. And this traffic is seen coming from/to several different users at any given time of day, but we have yet to determine the application that is associated with it. What seems odd is that to the firewall, I would think this packet would just appear as a regular ipV4 packet, so why does it cause issues???

Not sure what info might be useful to include here, but here is one instance of a session that is taking 32+% of the CPU.

5400-> get fprofile packet
packet buffer size(in kilo-packets): 64
total ip packet: 63862
total ip packet time(us): 9979235
total none-ip packet: 1674
total none-ip packet time(us): 118412
Id  Type   Protocol   Source             Destination       Sport   Dport   Time        Percentage
1    ip       0x29   1     1           3314384   32.82%

Any thoughts? As soon as I get our support agreement paid up to date I am going ot open a ticket with Juniper. I'm just hoping someone else has seen this too and know the cause / cure!

Thanks in advance.

Re: IPv6 in IPv4 packet drives NS5400 CPU high
« Reply #1 on: March 14, 2012, 03:34:59 PM »
I'm not the specialist on this but I've also seen high CPU loads on our ISG 2000 in the past. This was caused by a large amount of UDP packets (bittorrent). As it seems UDP is a hard nut to crack for our firewall because there's not really a session to be offloaded to the flow CPU('s) so the task CPU has to work harder because more packets are sent to it. Maybe this is also the case for your specific type of traffic?

Re: IPv6 in IPv4 packet drives NS5400 CPU high
« Reply #2 on: April 26, 2012, 04:52:58 AM »
The NS5400 and the ISG models are ASIC based for all supported packets it should handle the traffic in hardware.
Always when you have traffic that can not be handled by the ASIC you will see these high CPU spikes.
Basicly the NS5400 is for these packts not much faster than a small SSG FW.

