Good fucking job. Celebrate this weekend.

Figured you’d discover something like this. This behavior is usually caused by MTU/duplicate IP.

Good job sir :)

Hope to see a final update from you.

Thank you for the ping and the update!

Looks like you’re on the right path to chasing the gremlins out. I’m glad iperf3 was helpful to you. It has helped me out tremendously many times.

For the record, you can always ping me anytime. I’m here to help and Lemmy notifications don’t work half the time. But direct mentions always work.

Please keep me in the loop with further updates. At this time, nothing further to add from me. You’re doing the right things.

MOD APPROVED

Totally understand the security and CAB process. It’s a royal PITA when it comes to troubleshooting.

Mind keeping me in the loop with your findings? I’ll help as much as I can.

Not sure on the logging. I’m a data center guy and would rather see firewalls in the trash lol. They usually just cause problems.

For the WAN, surely there is some way you can reach those sites over the general internet. You have ISP connections.

Are you sharing BGP to the ISP? Maybe make a couple of 1:1 NATs with test boxes not in prod so that you can quickly test pathing outside of the tunnel.

@wop@infosec.pub Apologies for the delay. I’ve been very tired lately. I’m going to most likely repeat some of the things others have mentioned and what you’ve already noted, but this would be my t/s process. (NOTE: all tests should be ran on the endpoints, not network infra)

1. Traceroute from UK -> Germany and Germany -> UK. Look for latency spikes. The reason I say do both directions is that sometimes there is weird pathing issues present that only show in the opposite direction.

2. iperf 3 from UK -> Germany and Germany -> UK.

• 2a. Clear counters on switches/routers/firewalls.
• 2b. During an extended iperf test, look for interface errors, CPU usage on the devices in path.
• 2c. This is tedious and will take time, but you’re dealing with gremlins.

3. TCPdump on both sides during a transaction. Check for re-xmits and window scaling problems. Most likely not the endpoints, but something to rule out.

4. Monitor fortigate logs during all of this

5. Setup test boxes in UK and Germany that are exempt from IPSec tunnels and test throughput again (this should be a clear indicator that the firewalls are fucked if this is good)

6. All else fails, open TAC case with Fortigate.

Performance problems are the hardest problems to solve unfortunately. I’ve got more thoughts to add to this, but have to get to some commitments today. I’ll add more detail either tonight or tomorrow @wop@infosec.pub

Wow. I totally don’t see that comment on my end at all. I am so sorry about that.

As for your issue, that is a strange one. Can’t say I’ve ever seen it before. Is this a legacy switch and software version?

Edit: Oh wait, you meant PortFast. So this was a Spanning-Tree issue. Makes sense. Spanning Tree is the devil btw.

Cisco does a decent job at teaching general networking concepts, but most of them are “the Cisco way”, which I despise. Juniper is a much more standards-focused vendor vs magical bullshit like Cisco. The downside is that Juniper assumes you know networking already and doesn’t do that great of a job at teaching.

Another thing to keep in mind is that Cisco, unfortunately, is still the most prevalent networking vendor. This means the jobs are more plentiful and the skillset is more saturated in the market. Most people are mega fanboys of Cisco and either are too stupid or too ignorant to learn other vendors, which limits their thinking and skillset growth. Cisco is very much a cult.

Get some experience and see what makes you happy, then pursue that knowledge. Ultimately, if you aren’t happy with the work then your career will be miserable.

Ahh man this a tough question to answer without knowing your current skillset and what you would like to do in your career. I can try to give you some general, albeit a little biased, advice from my POV that could help you decide.

So, firstly, I would hold off on CCNP until you get a network tech/admin job and get some experience under your belt. Generally, when people see CCNP they expect people to have at least 2-3 years experience. Having the cert without the experience, while good for learning, can rub some hiring managers the wrong way. They might see you as a “brain dumper” that just gets certs to fluff resume but has no practical experience. Not all of them would, but there is a lot of fucking idiots in IT that make it into HR/management and they have very backwards views on these things because people that cheat do exist.

What I would do is finish your CCNA and then maybe look at JNCIA-Junos (the fast track course for those with CCNA already). You’ll find JNCIA-Junos isn’t as in-dept as CCNA. I would say this cert is more equivalent to the old CCENT. It’s mainly an introduction to JunOS.

The reason I suggest going this route is that you will have your CCNA, which will give you a good foundation on protocols and general networking, then you’ll also be able to speak to some JunOS as well, making you more well rounded. After this, focus on getting a job and some experience under your belt.

Now, as far as the industry trends are concerned, we are seeing more and more places kick Cisco to the curb in favor of Juniper and Arista the most, followed shortly by Aruba. If you work at any serious routing shop, they will almost definitely have Juniper MX routers on board.

Being able to have SOME JunOS knowledge will give you a leg up over the average CCNA. As you start to reach toward mid-career, I think you’ll find that knowing MANY vendors products/platforms will put you leaps and bounds ahead of your peers.

Does this makes sense?

Reason I’m asking for configs is that it might be an access port vs trunk port config, we just don’t know without more detail. Happy to look over everything and help you out though.

@Hexorg@beehaw.org you good? People trying to help and you never replied.