Old and new SRX VPN througput

juniper Juniper has recently released a hardware refresh on the SRX branch firewall series and I had the chance to run IPsec throughput tests on them. Fortunately I also have test results for the same setup for the older devices (srx110, srx210) so I can make a comparison between those two platforms.

For various reasons the declared numbers in the marketing materials for all vendors are  way off and have nothing to do with reality but I will still use them as the baseline for comparison for the real results.

For the testing method I used a slightly modified RFC2544 test – specifically the throughput test where the maximal frame size was set to 1400B so no fragmentation would take place.

The devices we only configured with the tunnel and some management connection. No other configuration was present so these numbers must be taken with pinch of salt as normally your SRX would do more than just one VPN tunnel and the more active configuration bits the lower the throughput would be.

The VPN config:

security {
    ike {
        proposal ike_prop {
            authentication-method pre-shared-keys;
            dh-group group2;
            authentication-algorithm sha1;
            encryption-algorithm aes-256-cbc;
            lifetime-seconds 3600;
        }
        policy ike_pol {
            mode main;
            proposals ike_prop;
            pre-shared-key ascii-text "*"; ## SECRET-DATA
        }
        gateway ike_gw_srx02 {
            ike-policy ike_pol;
            address 10.1.12.2;
            external-interface ge-0/0/2;
        }
    }
    ipsec {
        proposal ipes_prop {
            protocol esp;
            authentication-algorithm hmac-sha-256-128;
            encryption-algorithm aes-256-cbc;
            lifetime-seconds 3600;
        }
        policy ipsec_pol {
            perfect-forward-secrecy {
                keys group2;
            }
            proposals ipes_prop;
        }
        vpn ipsec_vpn {
            bind-interface st0.192;
            ike {
                gateway ike_gw_srx02;
                ipsec-policy ipsec_pol;
            }
            establish-tunnels immediately;
        }
    }
    policies {
        from-zone z_internal to-zone z_internal {
            policy permit_all {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone z_internet to-zone z_internal {
            policy deny_all {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    deny;
                }
            }
        }
        from-zone z_internal to-zone z_internet {
            policy permit_out {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone z_internet to-zone z_internet {
            policy permit_all {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
    zones {
        security-zone z_internet {
            host-inbound-traffic {
                system-services {
                    ike;
                    ping;
                    ssh;
                }
            }
            interfaces {
                ge-0/0/2.0;
            }
        }
        security-zone z_internal {
            host-inbound-traffic {
                system-services {
                    ssh;
                    ping;
                }
            }
            interfaces {
                ge-0/0/3.0;
                lo0.0;
                st0.192;
            }
        }
    }
}
interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet;
        }
    }
    ge-0/0/2 {
        description p2p-public-iface-srx02;
        unit 0 {
            family inet {
                address 10.1.12.1/30;
            }
        }
    }
    ge-0/0/3 {
        description Test_IPsec-VPN-throughput;
        unit 0 {
            family inet {
                address 192.168.11.1/24;
            }
        }
    }
    fxp0 {
        unit 0 {
            family inet {
                address 10.64.3.135/24;
            }
        }
    }
    lo0 {
        unit 0 {
            family inet {
                address 192.168.10.1/24;
            }
        }
    }
    st0 {
        unit 192 {
            family inet {
                mtu 1428;
                address 192.168.1.0/31;
            }
        }
    }
}
routing-options {
    static {
        route 0.0.0.0/0 next-hop 10.64.3.1;
        route 192.168.16.0/20 next-hop st0.192;
    }
}

The table below is my attempt to get as close to the declared numbers:

Device Declared @ L2/1400B Measured @ L2/1400B
SRX110h2 65 Mbps 45 Mbps
SRX210 85 Mbps 33 Mbps
SRX550* 1 Gbps 485 Mbps
SRX 320 250 Mbps  187.9 Mbps
SRX 340 500 Mbps  374.8 Mbps

You can see that in both cases of the old and the new devices the throughput is about 50% of the declared values – the reason is that the for marketing purposes upstream and downstream are counted as separate entities thus can be added together to form a nice big number.

The throughput table above is for the most favourable conditions which almost never happen in the real network so the interesting question is then how does the same tunnel behave with different packet sizes specifically with small ones where the overhead will be much bigger and the nuber of packet will also be much larger. Let’s have a look at the result of the 64B frames:

Device Measured @ L2/64B
SRX110h2 2.6 Mbps
SRX210 1.9 Mbps
SRX550* 32 Mbps
SRX 320 12.5 Mbps
SRX 340 23.8 Mbps

 

In conclusion the new models of SRX have improved the encrypted traffic throughput by about 30% on equivalent models but the overall performance is still quite low compared to the public specification.

*The SRX550 is an old model but there shouldn’t be any performance difference to the new SRX 550.

All tests were performed on the current recommended version for the platform at the time of writing.

The tester used in this testing was EXFO FTB-1 with FTB-860G module (mode details are in the test reports).

The full results in pdf format are available here:

SRX110-RFC_2544

SRX210-RFC_2544

SRX550-RFC_2544

SRX320-RFC_2544

SRX340-RFC_2544

 

Leave a Reply

Your email address will not be published. Required fields are marked *