SRX Services Gateway
SRX Services Gateway

Good Junos version for SRX650

01.23.12   |  
‎01-23-2012 05:49 AM



since I don't have much experiance with JunOS, I would like a recomendation for JunOS version for SRX650. We have 2 devices in cluster, and as much as I've read about it there are many limitations of running a cluster (some fetures not suported in cluster etc.). I've been reading documents about different versions, train eksplanations etc. and i don't know wether it is best to stick with EEOL versions (the 10.4(R8.5) version is last stable EEOL version since 11.4 is only at R1) or 11.2 that seems to have some nice features like in-band cluster upgrade, new IDP database structure etc.

Then again 11.4 has even more features, but is in early R1 stage and none of the features provided seems THAT important to us (well there are some app secure features and IDP signature description that we find interesting), but it Is the next EEOL version and in due time it would be cool to upgrade to it.


Atm though, what would you recommend? .How stable is 11.2R4 compared to 10.4R8? Is it worth upgrading to it or to 10.4.R8 (we're on 10.4.R7 atm, but when we ship the devices we would like them to operate on version that is as good as possible so we don't have to do any more work on it soon after installing them at customer)

From your experiance what is the best practise? Upgrading often? Every EEOL? More often than that?

What seems to be the best practise?


I see ppl say don't use any version below R3, try and use EEOL version etc. Even Juniper states out in their KB that we should use 10.4.R8 - it's a 2010. edition, we're in 2012.!!! Just thougth I should point that out. Mabyee I'm still young, naive, or atlest new to Juniper, but it all seems a bit confusing atm.

SRX Services Gateway

Re: Good Junos version for SRX650

01.23.12   |  
‎01-23-2012 11:46 AM

It is all a bit confusing. I think your comments make a couple of good points that should help in your decision:


1) You don't want to have to touch the remote devices very often

'2) We assume that 10.4R8 has all the features you need (in spite of their being some attractive ones in a later release)


It's also a basic risk tolerance question. If these deployments are in support of a gaming platform, your risk tolerance might be different than if they are transiting medical telemetry. 


10.4R8 has by far the largest set of field experience of the releases you mention.  But this doesn't mean that 11.4R1 wouldn't work right out of the box with your configuration (it was, in fact, a pretty solid release). Testing your desired configuration in a lab is a best practice that should always be adopted.


Given #1 and #2 are correct - 10.4R8 is a good decision and has a lower risk profile. The other releases have a higher risk profile (due to less field experience), but offer features that may be attractive in the context of your network feature roadmap.


As a reminder, 10.4 release is fully supported until June 2014.


Hope this helps.





SRX Services Gateway

Re: Good Junos version for SRX650

01.24.12   |  
‎01-24-2012 05:04 AM

If I were you I would stay away as far as possible from any release that has 11 in it. From my experience (I had to learn the hard way) most of them are unstable and full of bugs. I experienced several situations in which my SRX boxes would crash and had many tickets open with JTAC. 


If you put this into a production environment and not just testing, use 10.4R6.5 or R8.5. Both seem to be what others here call "rock solid" and I haven't had any problems with it (except some minor stuff).


Twitter: @cryptochrome
SRX Services Gateway

Re: Good Junos version for SRX650

01.25.12   |  
‎01-25-2012 11:58 PM

Yes, it seems we had to learn the hard way also. We put 11.2 on and there were troubles. First thing the cluster didn't work, there was no way to get the control link working. There were issues never before seen with this configuration on 10.4Rx versions and to make things wors we couldn't do anything but to delete configuration, downgrade it to 10.4R8 and then redo the whole configuration.



Seems there are some issues unresolved with 11.2R4 (mby R5, not sure any more) and I wouldn't recommend it. Mabyee rest of you won't have this kind of problems, we did.


10.4R8 seems like the one we will be using and I would recommend it to those who have simmilar question like I had.

SRX Services Gateway

Re: Good Junos version for SRX650

01.29.12   |  
‎01-29-2012 11:41 PM

Ha, well... I would lie if I said this was simple. On version 10.4R8.5 IDP in cluster didn't work at all. It was there, it was on, it just didn't stop anything.

So back to version 11.2R5 we went, again the problems with cluster, this time we fixed it... don't ask how, God knows, but it works now, and IDP works in cluster on version 11.2R5


I rly wish this was simpler tbh, but as of this moment we have a setup which we will be proud to put in production at our customer. Cluster works, IDP works, screening works, throuput is rly nice, under heavy attack (nessus from one machine, hping from another)) CPU doesn't go over 45-50%


So I guess with juniper it rly is touch and go version wise, and try untill you get it working the way you wish it does.

We're on version 11.2R5 and it works for us. I hope 11.4R4 come soon so we can upgrade to EEOL, but i don't think we will be doing anything more untill late summer if we put this into production.


Thank you for the help you provided.

SRX Services Gateway

Re: Good Junos version for SRX650

02.01.12   |  
‎02-01-2012 03:16 PM
After some rough times with the 10.2 series, we have had pretty good luck with the 10.4 series. I have some boxes with months of uptime on 10.4r5 that I am in the process of updating to 10.4r7 (we did all our testing while that was the recommended version.) We are updating because I saw some odd entries in my cluster logs showing failures (but no users seemed to notice, so the clusters must have done their job and seemlessly transferred the sessions) and JTAC said this version will resolve that.