01-28-2011 11:28 AM
Today i need to tell the juniper firewall lovers some imp issues i am facing from the past 6 months.
Basically i am a cisco guy but from past 3 years i am using juniper.I am happy with the SSG is concerned.
But people tell us SRX is the better one in juniper security.Pls believe me its the buggest one which i had
never seen till now in any firewall is conrned.My SRX 240 is replaced 2 times due to memory and flash problems
after doing an R&D for 8 to 10 hours.Even the case proirity is high and even if we ask the jtac enginners to transfer
the call to ATAC they will not they will first tell us we will check and we will transfer even though its critical.
SO if u ready with a downtime of 24 hours critical u can buy SRX and comming the bugs are concerned we have a lot
its simply more than 200 on each release depening up on customer requirement it may vary.The most critical
problem which i am facing is the Track IP which is there in SSG but not in SRX.This means if one of the ISP is down
the line will not shift automatically we need to manually change the cable by unplugging from the SRX Device.
The memory utilization is more than 85% if we enable the IDP.and which should be enabled for torrents. if we ,then
the box will hang.The device come with 1GB RAM and 1GB Flash which is not at all sufficient for any requiremement
The Storage shows always full and we will have coredumbs which again occupies the memory.To reduce this we
need to disable the Syslog.And if i keep on going i can tell u some 100 pages documents related to SRX is concerned
The worst and the last i need to tell u is the logging feature.It is worst logging feature r else the options which i never
seen in any firewall so guys if u r ready to buy with all this bugs and want to in trouble u can buy the product.
Pls never c the data sheets r else the doucments which are given in the site as they are all only some positive points
some 70% is not given on the site.so if u need any help r else any idea reg the SRX is concern pls do mail me
my mail ID is email@example.com i didnt bore u with my long sort of issues with the SRX is concerned
01-28-2011 11:55 AM
Hello RAM - I just finished reading your post. I am sorry to hear that you have had so many problems with the Juniper SRX240 firewall. It does sound like you got a bad device and had some issues with getting your problems resolved.
You are of course entitled to your opinion. However, I must say that as a Juniper reseller I find that your problems are not at all typical. My firm has sold a ton of SRX boxes of various sizes. Yes, there have been issues with the code and there are still problems that exist with certain features and there is also still a lack of some functionality that can drive me crazy.
Perhaps the box you purchased was not sized correctly for your environment? I don't know, however, I have one customer with several hundred SRX240 units running nationwide that has never had the problems you describe.
Again, sorry to hear you had these issues - But you are completely wrong when you state that this what a customer should expect if they purchase this (or any other SRX) device.
Anyone looking to buy an SRX should certainly feel free to contact you and hear about your very bad experiences with the single unit. I will also state that anyone looking to hear a different point of view about these boxes is welcome to contact me anytime and I will tell them both the positive and negative in regards to the SRX product line.
I am very glad to both sell, install and support this solution, regardless of the growing pains that have occured as Juniper worked through the various issues.
01-28-2011 12:07 PM
Thanks for the reply
The Box which i purchsed is more then and perfectly sized for my organization
Can u asked that 100 sold guys is the customer are happy i can guarantee that they are all unhappy
i didnt bought 1 no kevin i had one head office and 32 branch offices my head office is in HA and
branch office is single units.All the boxes are like hell its dam hell and i will never ever suggest to any one
Its purely killing the time with soo many problems.Pls never suggest to any one.
for me selling a box is like a cake but the guy who taken that cake is asking me y u had given this worst cake to me
01-28-2011 12:35 PM
RAM - We obviously disagree. I would recommend e-bay to sell off your boxes. Send me a private message so I can bid on them.
01-28-2011 12:59 PM
Pls find below the the today RMA case hope u can understand the issue
The previuos one for the same device and the same issue
and a lot more cases reg the issues IDP , Track IP , Link Aggressation, Syslog etc etc
May be the guys whom u r telling is not using the features like me.
But Definealtely if this one repeats surely i will bid on the ebay 200%
its been very nice that u told u will take all that i am glad for that lets wait
01-28-2011 09:40 PM
SRX supports the track IP feature.
01-28-2011 10:44 PM
I am also victim of Track IP on SRX ...
Though, JunOS Automation can handle this Track IP issue ..
But this is the longest / hardesst way of implementing it, compared to SSG
01-28-2011 11:01 PM
Did u ever used this script ,pls let me know if u used it in the production box.
basically the JTAC r else the ATAC will not recommend to run scripts in the JUNOS
i had 3 ISP lines in which i had 3 different group of people will use specific ISP
All this ISP lines are in failover.lets say if isp one goes down immediately the clients in that
ISP will be shifted to the other ISP.i am using the firewall filter for the interfaces and preference
options at the routing options.My ISP setup is like from ISP MUX it will come to the ISP router from
the ISP router i will connect to the SRX so till ISP router i do not have any control.
IF i am using the script which u given its working fine till the LAN interface for the ISP router
But actual failover will be behind the MUX r else from MUX to the router.the LAN interface will always be UP
as its in my side but the WAN link goes down the script r else what u say the trackip in SRX is not working
Its working very fine with SSG coz we will mention the particlar IP lets say 220.127.116.11 in the Trackip and we are
not having like that in the script and ATAC is not recommending that so if u tried all this and if u have a
perfect solution then let me know i am glad to hear from u
01-28-2011 11:41 PM - edited 01-28-2011 11:52 PM
I'm very aware of the use cases around track IP and how it works. I wouldn't have made the recommendation if it didn't work. We have major carriers and financial firms that use this in production without issue.
The only drawback is that you have to use an automation script versus a "track-ip" knob in the actual Junos configuration. Please note this only applies to the branch SRX devices. The high-end SRXs support this feature natively through the "ip-monitoring" knob.
The purpose of the automation architecture is to offer additional services and scalability that goes beyond the native features.
01-28-2011 11:56 PM
Pls find the attached script which i am telling u and didnt work out for me
pls let me know if any other alternate script i will try and let u know its works