03-26-2010 04:21 AM
looks a known issue after reading whole thread, ask your sales person to provide you patch for this.
03-26-2010 11:44 AM
Hi, i think that juniper has to publish a technical bulletin for this issue. Unfortunatly Juniper doesn`t , as far i can see in my mails :robotmad
i`m verry sadisfied with the SSG/ISG Series from Juniper running ScreenOS, but SRX with JunOS beginns to suck,
just my 20cent opinion
04-10-2010 03:35 PM
The issue that Oldtimer mentioned should be fixed in upcoming 10.0R3. This is scheduled to release probably within the next week or so. Currently 10.0S3 does not yet have this fix. Once 10.0R3 is available there will be a release note for this and 10.0R3 will become the recommended JUNOS version for SRX. Note also that the fix will also be included in 10.1R2 but that is still maybe 2 months away.
Juniper policy is we do not release any sort of PSN unless we already know the root cause and have a fix available. It should also be noted that we do have plenty of other customers who have deployed SRX and have never experienced this issue. Once 10.0R3 is released, we would still need to validate in the field that 10.0R3 resolves this issue for all customers that have seen the problem.
04-21-2010 04:30 PM
In your comment, "It should also be noted that we do have plenty of other customers who have deployed SRX and have never experienced this issue." are you implying that all of us are making this issue up!
You cannot discount the issue we are raising just because as you said, there are plenty of other deployed srx that are not having it. But the common theme here, I believe, is that on an SRX210/240 platform running 10.0R1.8 with AV, UTM, and IDP features enabled experiences this issue and by disabling these featues makes it work!!!
If JTAC cases have been raised regarding this issue, are you saying that they cannot reproduce the issue in a lab situation?
04-22-2010 05:55 AM
Where can I find release notes on fixes in 10.0R3.10? The documentation associated with the download (http://www.juniper.net/techpubs/en_US/junos10.0/in
04-22-2010 06:02 AM
The public resolved issues are at:
However I had a few other issues that were fixed, but not listed in the fix list.
04-22-2010 07:23 AM
@BenR - please re-open or re-engage on your JTAC case - either the fix doesn't work, or this is a similar symptom with different root cause.
@Everone else - if 10.0R3 resolves the issue for you please post back.
I have asked a member of my team to run an analysis on the release-note contents for SRX to see if we can make some process improvements in what's reported in the known-issues and resolved-isses areas.
05-04-2010 12:12 PM
versello (OP) said something about disabling all IDP features. I'm having what looks like the same problem with my SRX240 HM and was wondering how you go about doing that. I can post my config if it helps.
05-04-2010 02:30 PM - edited 05-04-2010 02:31 PM
One of the J-TAC engineers working on my case also said some indications point to IDP (I just have UTM disabled)... perhaps I'll disable it. This will mean my device isn't any better than my replaced PIX 515e.
05-05-2010 04:57 AM
My SRX has been running for two weeks without issues on 10.0R3.10. It doesn't have any IDP features enabled which may be part of the equation. It's dissapointing that Juniper hasn't ironed out those problems yet though.
05-09-2010 12:56 PM
I tried the suggestion from oldtimer to restrict port switching, but it didn't seem to help. I'm installing the 10.0R3 right now, so I'll post back with results in a few days.
05-12-2010 10:52 AM - edited 05-12-2010 10:53 AM
My SRX240 HA Cluster on 10.1R1.8 just crumbled when I downloaded the IDP database and templates. I set the Recommended template to Active but hadn't apllied the IDP to any policies yet. I have been running for 2 weeks with Web-Filtering turned on with no issue. When I kicked off the download of the IDP database, I saw that one of my Zones stoped passing data to and from the other Zones. Just like that, no change of policies or anything. Just ran the command "request security idp security-package download" During this outage, the Firewall could ping the affected zone, just no one else could. Then one by one, the other zones stopped responding. I could stay on the telnet session to the firewall, but all traffic between all zones just stopped.
I am leaning towards
1) JUNIPER NEEDS TO GET THEIR CODE FIXED, this is major release 10 of your software and it still doesn't work?!?!?!?!
2) IDP is the culprit in these cases.
05-18-2010 06:13 AM
After upgrading to 10.0R3 and applying the fix for PR#521684, my device would only core flowd about once a week. I have upgraded to 10.1R2.8 now, because I was told by JTAC that my last crash cause was fixed in it. So far so good with ExpressAV, Web filtering and IDP enabled. Only problem with this release so far has been the DNS alg, which has been blocking DNS replys with CNAME pointing to the base domain address (IE www.asp.net CNAME asp.net, etc.) so I disabled the DNS alg.
05-19-2010 07:21 AM
BenR - Can you let me know if your system becomes unresponsive? JTAC told me 10.1R2.8 doesn't have the fix to my core-dump IDP issue, so I probably won't even bother with it.