SRX

last person joined: 2 days ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
Back to discussions
Expand all | Collapse all

Known issue Chassis cluster and VPN through NAT device fix or not in JUNOS 10.4R3 on SRX series?

  • 1.  Known issue Chassis cluster and VPN through NAT device fix or not in JUNOS 10.4R3 on SRX series?

    Posted 04-20-2011 21:52

    Dear all.

    It have two issue let me concern to buy SRX or not.

    1. The SRX chassis cluster failover known issue.

         I check the release note of stable JUNOS 10.4R3.4 .

         During manual failover, a system crash might occur if the nodes have not completely

         recovered from a previous failover.

         

         Is it have a big issue of trigger on cluster or  it have more issue on SRX cluster?

     

    2. The SRX VPN function support or not NAT devices in front of SRX device in JUNOS 10.4R3?

        I check the Release note and havent fond this notes.

     

    Thanks for your reply!



  • 2.  RE: Known issue Chassis cluster and VPN through NAT device fix or not in JUNOS 10.4R3 on SRX series?
    Best Answer

    Posted 04-21-2011 04:22

    1) is not a big concern. Standard operating procedure is to establish health of the cluster before any manual failover, therefore, as long as procedures are being followed, you are not going to see this crash

     

    2) Yes, NAT-T is supported for remote peers. Your central HQ "VPN Hub" should be reachable on a direct public IP, of course, the same way that ScreenOS behaves.

     

    One of the biggest challenges for SRX today, particularly when clustered, is UTM stability and behavior during failover. If what you have in mind is basic Layer 4 firewalling + IPSEC, it will work great.

     

    Also keep in mind that "dual ISP without dynamic routing protocol" is supported today, but difficult to set up, and with limitations. If you use BGP towards your ISPs, you are golden; ditto if you only have one ISP.