01-28-2011 11:28 AM
Today i need to tell the juniper firewall lovers some imp issues i am facing from the past 6 months.
Basically i am a cisco guy but from past 3 years i am using juniper.I am happy with the SSG is concerned.
But people tell us SRX is the better one in juniper security.Pls believe me its the buggest one which i had
never seen till now in any firewall is conrned.My SRX 240 is replaced 2 times due to memory and flash problems
after doing an R&D for 8 to 10 hours.Even the case proirity is high and even if we ask the jtac enginners to transfer
the call to ATAC they will not they will first tell us we will check and we will transfer even though its critical.
SO if u ready with a downtime of 24 hours critical u can buy SRX and comming the bugs are concerned we have a lot
its simply more than 200 on each release depening up on customer requirement it may vary.The most critical
problem which i am facing is the Track IP which is there in SSG but not in SRX.This means if one of the ISP is down
the line will not shift automatically we need to manually change the cable by unplugging from the SRX Device.
The memory utilization is more than 85% if we enable the IDP.and which should be enabled for torrents. if we ,then
the box will hang.The device come with 1GB RAM and 1GB Flash which is not at all sufficient for any requiremement
The Storage shows always full and we will have coredumbs which again occupies the memory.To reduce this we
need to disable the Syslog.And if i keep on going i can tell u some 100 pages documents related to SRX is concerned
The worst and the last i need to tell u is the logging feature.It is worst logging feature r else the options which i never
seen in any firewall so guys if u r ready to buy with all this bugs and want to in trouble u can buy the product.
Pls never c the data sheets r else the doucments which are given in the site as they are all only some positive points
some 70% is not given on the site.so if u need any help r else any idea reg the SRX is concern pls do mail me
my mail ID is firstname.lastname@example.org i didnt bore u with my long sort of issues with the SRX is concerned
01-28-2011 11:55 AM
Hello RAM - I just finished reading your post. I am sorry to hear that you have had so many problems with the Juniper SRX240 firewall. It does sound like you got a bad device and had some issues with getting your problems resolved.
You are of course entitled to your opinion. However, I must say that as a Juniper reseller I find that your problems are not at all typical. My firm has sold a ton of SRX boxes of various sizes. Yes, there have been issues with the code and there are still problems that exist with certain features and there is also still a lack of some functionality that can drive me crazy.
Perhaps the box you purchased was not sized correctly for your environment? I don't know, however, I have one customer with several hundred SRX240 units running nationwide that has never had the problems you describe.
Again, sorry to hear you had these issues - But you are completely wrong when you state that this what a customer should expect if they purchase this (or any other SRX) device.
Anyone looking to buy an SRX should certainly feel free to contact you and hear about your very bad experiences with the single unit. I will also state that anyone looking to hear a different point of view about these boxes is welcome to contact me anytime and I will tell them both the positive and negative in regards to the SRX product line.
I am very glad to both sell, install and support this solution, regardless of the growing pains that have occured as Juniper worked through the various issues.
01-28-2011 12:07 PM
Thanks for the reply
The Box which i purchsed is more then and perfectly sized for my organization
Can u asked that 100 sold guys is the customer are happy i can guarantee that they are all unhappy
i didnt bought 1 no kevin i had one head office and 32 branch offices my head office is in HA and
branch office is single units.All the boxes are like hell its dam hell and i will never ever suggest to any one
Its purely killing the time with soo many problems.Pls never suggest to any one.
for me selling a box is like a cake but the guy who taken that cake is asking me y u had given this worst cake to me
01-28-2011 12:35 PM
RAM - We obviously disagree. I would recommend e-bay to sell off your boxes. Send me a private message so I can bid on them.
01-28-2011 12:59 PM
Pls find below the the today RMA case hope u can understand the issue
The previuos one for the same device and the same issue
and a lot more cases reg the issues IDP , Track IP , Link Aggressation, Syslog etc etc
May be the guys whom u r telling is not using the features like me.
But Definealtely if this one repeats surely i will bid on the ebay 200%
its been very nice that u told u will take all that i am glad for that lets wait
01-28-2011 09:40 PM
SRX supports the track IP feature.
01-28-2011 10:44 PM
I am also victim of Track IP on SRX ...
Though, JunOS Automation can handle this Track IP issue ..
But this is the longest / hardesst way of implementing it, compared to SSG
01-28-2011 11:01 PM
Did u ever used this script ,pls let me know if u used it in the production box.
basically the JTAC r else the ATAC will not recommend to run scripts in the JUNOS
i had 3 ISP lines in which i had 3 different group of people will use specific ISP
All this ISP lines are in failover.lets say if isp one goes down immediately the clients in that
ISP will be shifted to the other ISP.i am using the firewall filter for the interfaces and preference
options at the routing options.My ISP setup is like from ISP MUX it will come to the ISP router from
the ISP router i will connect to the SRX so till ISP router i do not have any control.
IF i am using the script which u given its working fine till the LAN interface for the ISP router
But actual failover will be behind the MUX r else from MUX to the router.the LAN interface will always be UP
as its in my side but the WAN link goes down the script r else what u say the trackip in SRX is not working
Its working very fine with SSG coz we will mention the particlar IP lets say 126.96.36.199 in the Trackip and we are
not having like that in the script and ATAC is not recommending that so if u tried all this and if u have a
perfect solution then let me know i am glad to hear from u
01-28-2011 11:41 PM - edited 01-28-2011 11:52 PM
I'm very aware of the use cases around track IP and how it works. I wouldn't have made the recommendation if it didn't work. We have major carriers and financial firms that use this in production without issue.
The only drawback is that you have to use an automation script versus a "track-ip" knob in the actual Junos configuration. Please note this only applies to the branch SRX devices. The high-end SRXs support this feature natively through the "ip-monitoring" knob.
The purpose of the automation architecture is to offer additional services and scalability that goes beyond the native features.
01-28-2011 11:56 PM
Pls find the attached script which i am telling u and didnt work out for me
pls let me know if any other alternate script i will try and let u know its works
01-31-2011 08:36 AM
Unfortunately, you are another victim of Juniper SRX.
I deployed more than 100 SSG devices in the past with less than 10 cases open with JTAC.
One year ago, we deployed two cluster of SRX 240 and the nightware begun...
Slow GUI, NSM integration is a joke, IDP crash, etc, etc.
This is an endless story.
Basically, this is most buggiest platform I ever play with...
We will ask Juniper to replace them with 4 SSG320M.
We are waiting input from them.
Maybe you can also do the same...
01-31-2011 10:42 AM
Thanks a lot for the replay.Just thinking that i am only the victim from the replies i am getting
may be i got some one who accepts that there are bugs in the SRX boxs.
Even i installed soo many SSG boxes and EX4200 and 3200 Swicthes with very less cases
But for my new site as i blindly thought juniper will not make me down i didnt went deep reg the new
product and deployed SRX in HA and EX2200 with 100 nos and core EX4200.
This SRX is working like Hell. No Track IP like SSG, More CPU and Memory utlization
due to 2 partions and IDP signature and dector data base issues for which the box will Hang r else
the flash r even the partion gets crouppted.I do not know with out a 100% checkup and no proper work out
they released the product in to the market and they are loosing the complete hope on the juniper brand
which will effect on the other good working products like SSG and Ex4200 and 3200 swicthes.
Even i bought EX2200 with out the minimum L2 features in it and they are telling now still they are in
implementation part and in the other releases they will fix .god knows when they will fix without bugs
i had a question to ask u .i will also ask the guys to give me SSG-520
but the IDP is not there in that and only the DI which will not block torrents.pls let me know is there any alternate
way to block the torrents with SSG-520 as its very imp for my site with no other addon device like IDP
once again thanks for the reply
01-31-2011 01:47 PM
I'm also running IDP on the SRX.
Deep inspection is not an alternative to the IDP...
If you really need an IPS, you need to by another box...
In my case, I prefer to have a stable cluster (SSG) rather than a full features (according to Juniper !) box crashing every few days.
Maybe you can install another firewall in layer two mode to handle application control, bandwidth management, IPS and other usefull features.
Sonicwall is quite good in this area. In few weeks, I could probably give you some comments about Palo Alto...
03-06-2011 11:14 AM
Thanks for the feedback
Just want to know how can u say by the RMA details i kept the box in a frequent power failures area.
They have not mentioned any where in the case ITS WRONG stateEMENT DELIVER BY U .
Can u pls tell me from which country u belong to just to know
To ur notice i kept the box in a very secure area in which i had nealy 127 devices along with this SRX
I never mention in the case r else in the RMA that the box is having problem with power u r mistaken
The box is having problem with flash and memory due to this there are several problems
can i know which SRX box u r using just curious not having with any problem with that
i can c in the lastest junoes release that there are nealy some 150 bugs still pendning yet to sorted out
The 1GB flash which is giving with the box is not at all sufficient for the desired requirment
Each core dump file is 100 MB and if there are 2 core dump files the box gets hangs and flash corrupts
hope u got now what i am trying to tell u .There is no problem with the power r relse the power supply
Problem which i am facing
1.SRX240 New box
2. The box comes with dual partion primary and backup with 10.0R1
3. For my requirement i need to update to 10.4R1
4. After doing this the remaining space in Primary partion is 215 MB only
5. If i enable syslog for every 6 hours its creating one core dump file which is 100 mb
6. IF i leave for 1 day the flash gets full and device hangs
7.If i disable syslog i will get a core dump file 100 mb for every 12 hours
8.If i delete the file in time the box runs fine no problem but if i do not delete same problem
so if u have a box and u try all the above which i mentioned they tell me what u r facing
so do not tell and misguide that that problem is with power .ITS NOT WITH POWER PROBLEM K.
ITS WITH 1GB insufficiuent flash k