04-22-2010 07:23 AM
@BenR - please re-open or re-engage on your JTAC case - either the fix doesn't work, or this is a similar symptom with different root cause.
@Everone else - if 10.0R3 resolves the issue for you please post back.
I have asked a member of my team to run an analysis on the release-note contents for SRX to see if we can make some process improvements in what's reported in the known-issues and resolved-isses areas.
05-04-2010 12:12 PM
versello (OP) said something about disabling all IDP features. I'm having what looks like the same problem with my SRX240 HM and was wondering how you go about doing that. I can post my config if it helps.
05-04-2010 02:30 PM - edited 05-04-2010 02:31 PM
One of the J-TAC engineers working on my case also said some indications point to IDP (I just have UTM disabled)... perhaps I'll disable it. This will mean my device isn't any better than my replaced PIX 515e.
05-05-2010 04:57 AM
My SRX has been running for two weeks without issues on 10.0R3.10. It doesn't have any IDP features enabled which may be part of the equation. It's dissapointing that Juniper hasn't ironed out those problems yet though.
05-09-2010 12:56 PM
I tried the suggestion from oldtimer to restrict port switching, but it didn't seem to help. I'm installing the 10.0R3 right now, so I'll post back with results in a few days.
05-12-2010 10:52 AM - edited 05-12-2010 10:53 AM
My SRX240 HA Cluster on 10.1R1.8 just crumbled when I downloaded the IDP database and templates. I set the Recommended template to Active but hadn't apllied the IDP to any policies yet. I have been running for 2 weeks with Web-Filtering turned on with no issue. When I kicked off the download of the IDP database, I saw that one of my Zones stoped passing data to and from the other Zones. Just like that, no change of policies or anything. Just ran the command "request security idp security-package download" During this outage, the Firewall could ping the affected zone, just no one else could. Then one by one, the other zones stopped responding. I could stay on the telnet session to the firewall, but all traffic between all zones just stopped.
I am leaning towards
1) JUNIPER NEEDS TO GET THEIR CODE FIXED, this is major release 10 of your software and it still doesn't work?!?!?!?!
2) IDP is the culprit in these cases.
05-18-2010 06:13 AM
After upgrading to 10.0R3 and applying the fix for PR#521684, my device would only core flowd about once a week. I have upgraded to 10.1R2.8 now, because I was told by JTAC that my last crash cause was fixed in it. So far so good with ExpressAV, Web filtering and IDP enabled. Only problem with this release so far has been the DNS alg, which has been blocking DNS replys with CNAME pointing to the base domain address (IE www.asp.net CNAME asp.net, etc.) so I disabled the DNS alg.
05-19-2010 07:21 AM
BenR - Can you let me know if your system becomes unresponsive? JTAC told me 10.1R2.8 doesn't have the fix to my core-dump IDP issue, so I probably won't even bother with it.