SRX Services Gateway
Highlighted
SRX Services Gateway

SRX - Juniper still joking ?

‎04-01-2010 06:17 PM

Hi,

 

sorry, that  i everytime i have an issue / i have to  complain about the srx series....

but in my eyes if a company like juniper put out a security product or have i say a new router -  srx series

there are problems, even there are got better for each release...

 

i have bought the srx series, as there are new and there are replacing the ssg series, so the marketing has said.

ok, bought it, but i will not to be a beta tester ! i will, but please tell me that first ! Robot Mad

so i will not pay the support of a beta product , it`s out for a year !!!!!

 

if i now, that only cli will work, it´s ok. but webui and nsm still facing real big problems as i `m testing for 3 hours at my home. nsm, he he, missing logging, snat and so one !!!!!

 

nsm still is bad, as it is for the isg seriesRobot Sad , by the way still slow ! fix it ! it`s a joke paying for that

 

i don`t want put a kb (wiki, what if it do not work and what in what way )it is  my own to fix the srx problems facing at my home or should i ? if cli do that, and in webui do that or if it`s don`t work, do that and otherwise ?

 

it`s only a srx210, but bought with my own money to make the certification of the new security products of juniper! as we thing switchin to the srx3600 or higher.....

 

it`s stil a joke if i have to pay for fixing this bugs !

if juniper will lose datacenter customers, yes , i`m testing the srx210 for my company at my own , thats the best way !!

 

sorry, if i`m, honest and say what i think, but in the last time only ScreenOS is stable, thanks for that  !

Hoping, that ScreenOS getting not the performance of NSM and the bugs for the SRX-Series.

If Juniper will do so, my ISG2000-Cluster, for the first probem facing, will put out of production, as i`m working for a datacenter and sick of protecting juniper!

 

i know juniper is good, but nowadays there are too much problems they have to fix, and there are doing nothing !

NSM for example !

 

please free to contact me, i`m really pissed of the srx (STOPPING WITHOU LOGGS, etc) !

it`s not funny, if the fw stops passing traffic during the weekend , of shoud we monitoring the srx with some tool and make sms ? if juniper will pay my hours, no problems Smiley Happy

 

Regards,

Armin

 

 

-PIccolo
34 REPLIES 34
Highlighted
SRX Services Gateway

Re: SRX - Juniper still joking ?

‎04-02-2010 09:30 AM

I had a lot of issues early on with NSM and the SRX, it's better today, but still not great.  The WebUI on the SRX is horribly slow and appears to spike the CPU on the SRX.  We have asked our Juniper Rep. numerous times for an NSM roadmap, but he just ignores us.  Fairly certain they are going to EOL it within a year and ask customers to purchase their new management tool (Junos Scape or something like that).

 

For the most part the NSM/SRX combo has been stable recently, but I really would have liked to see ALOT more fixes in the 2010 release...

Highlighted
SRX Services Gateway

Re: SRX - Juniper still joking ?

‎04-03-2010 05:27 AM

You've made it more than clear that you're dissatisfied with the SRX series.  Instead of spending your time complaining on the forums would you please spend it working with JTAC on these issues?

 

Thanks.

Highlighted
SRX Services Gateway

Re: SRX - Juniper still joking ?

‎04-03-2010 06:20 AM

Unfortunately all of the new products are very buggy..

 

JUNOS is a buggy piece of software anymore.. My company is primarily a Cisco shop and all you hear is how JUNOS was so stable, unbuggy, etc.. back in the day.. Now that we're looking at their products (and using some), honestly Cisco IOS/NX-OX/XR, etc.. doesn't seem nearly as bad to me. It has it's bugs, but at least basic features usually if not always work.  I can't say the same for JUNOS anymore..

 

The worst part is that when you do find bugs and work with JTAC on it, it then takes months to get a fix.. JUNOS needs to have quicker feature rollout and bug fixes if they want to compete with Cisco.

 

Sad but true 😞

Highlighted
SRX Services Gateway

Re: SRX - Juniper still joking ?

‎04-03-2010 07:44 AM

Hello there,

The workaround for slow WebUI was posted on this forum a few weeks ago:

 

 

request system storage cleanup
request system software delete-backup

 

 

It will result in more free flash memory becoming available and faster WebUI.

HTH

Regards

Alex

_____________________________________________________________________

Please ask Your Juniper account team about Juniper Professional Services offerings.
Juniper PS can design, test & build the network/part of the network as per Your requirements

+++++++++++++++++++++++++++++++++++++++++++++

Accept as Solution = cool !
Accept as Solution+Kudo = You are a Star !
Highlighted
SRX Services Gateway

Re: SRX - Juniper still joking ?

‎04-04-2010 09:31 AM

@buckweet

 

Can you qualify this statement a bit more? "Unfortunately all of the new products are very buggy.." - are you thinking specifically of the Branch SRX products or are you seeing issues on our other product families? It is obvious from posts to this board that we (Juniper) did not do our best possible work on development and testing early releases of Junos for the Branch SRX when more complex configurations were used.

 

It should also be obvious that more recent versions -- which are released every quarter -- are significantly better and meeting most customer needs. We still have issues - for example NSM not pulling SRX logging (which is Piccolo's most current complaint) - but for most customers in most configurations the Branch SRX products are working fine with recent versions of Junos. 

 

We have not seen similar systemic issues with any other products.

 

The Branch SRX products are very complex and we have re-tooled our testing and development practices to ensure that we never see these types of issues again. We all wish we could fix everything overnight, but it is the nature of complex systems that all changes (even fixes) introduce risk - in order to mitigate that risk we need to manage the number of changes that occur in each release to ensure adequate testing and design.  And we continue to have tremendous focus on this internally - we have heard customer concerns loud and clear. I have every confidence that SRX will soon meet or exceed the high bar of reliability set with ScreenOS.

 

Please continue to work closely with JTAC - we have discovered for example that some issues raised on this board had never actually been reported to JTAC - it's difficult to fix what we don't know about!  JTAC has fixes, workarounds or service releases to handle virtually every known issue at this point.

 

I do want to thank everyone for their patient and professional comments on these very frustrating issues. We do read them and we take them to heart to ensure that we learn from our mistakes and improve our products to the highest quality standards. I especially want to thank those who post their working configurations, versions, combinations, etc as this helps everyone understand the product better.

 

Sincerely,

 

-Keith

Highlighted
SRX Services Gateway

Re: SRX - Juniper still joking ?

[ Edited ]
‎04-05-2010 10:50 AM

I understand there's a high level of frustration with some of the Branch SRX issues, please be assured that our JTAC and product folks are working very hard at resolving them, and your patience and professionalism in discussing these issues on the forum is much appreciated. As Keith said, in addition to J-Net posts, please make sure you also report your technical issues to JTAC and continue to work with them closely.

 

It is the mission if this community for members to help each other, and please remember all of the superusers, moderators and admins are on your side to help you resolve these frustrating technical issues. I completely understand the frustration one experiences when dealing with any technology issues, but I'd like to gently remind everyone to please continue to remain professional in the forums and promote a collaborative environment in order for the community better help you. Other users who may already have resolutions for your issues will be more likely to chime in and help if we can promote a friendly and collaborative atmosphere in our community

 

Again, thank you for your patience and understanding. And a huge thank you to those who have been contributing to resolutions and answers to help the community. As always, please feel free to send me a PM or email j-net@juniper.net if you have any questions or want to continue the conversation with me offline.

 

ac

 

Highlighted
SRX Services Gateway

Re: SRX - Juniper still joking ?

‎04-05-2010 01:19 PM

To piccolo78 I can only say that if you are that unhappy with the SRX-box, I will happily free you from it for free, because I'm such nice guy. I'll even pay for shipping. Smiley Indifferent

 

As I said in the other thread, I fell that the SRX is a very competent platform. It does notice that the platform is still very young. For some of the annoying issues mentioned in the other thread, I'm really missing some real life configuration example for different solution. The way the documentation is splitted up today is a real pain, and leaves us without a complete reference guide to all commands.

 

A dream would be that Juniper would work together with some of us in the "real world" to make up real life configuration examples for say the 50 most used features/designs. That would probably help people who uses the SRX and/or Junos for the first time.

Highlighted
SRX Services Gateway

Re: SRX - Juniper still joking ?

‎04-05-2010 04:53 PM

I can't agree with you more on the real world configs. I can't tell you how many times I have tried searching for a real config to help with configuring the device or trying to figure out a feature or problem. Good idea!

Highlighted
SRX Services Gateway

Re: SRX - Juniper still joking ?

‎04-05-2010 05:07 PM

Just making sure everyone knows about http://kb.juniper.net/KB15694 . What would be the priorities of things not covered there?

 

Regards,

 

-Keith

Highlighted
SRX Services Gateway

Re: SRX - Juniper still joking ?

‎04-05-2010 11:59 PM

Yes, I'm aware of KB15694. It's a good jumpbox, but since all the information is splitted up in several different places, it's impossible to download it and take it with you. Not all places have Internet. I'm missing the complete "command reference" that Cisco have.

 

But many of the documents KB15694 links to are not real life examples. For instance, all the VPN documentation says about VPN monitoring is:

 

 

Optionally, you can also configure VPN monitor settings if desired.

But, it's not really optional. If you don't have it you get questions like this. On the other hand, I don't think I've seen examples from Juniper on the best way to do dual ISP redundancy anyway.

 

And staying at VPN, KB10951 describes how to interconnect SSG with Check Point, don't think I've seen similar for SRX. That kind of things would be useful.

 

Highlighted
SRX Services Gateway

Re: SRX - Juniper still joking ?

‎04-06-2010 01:19 AM

I think Juniper need to add more technical example configuration before they Release SRX.

 

like SRX 210 MGW series, it support FXS/FXO but it still not shown on KB the example configuration and etc..

 

 

 

Thanks and Regards,

 

Husni

Highlighted
SRX Services Gateway

Re: SRX - Juniper still joking ?

‎04-06-2010 03:08 PM

Thanks - great feedback we can always use. I've passed it on to the program manager.

 

BTW - the Jumpstation KB was a direct result of comments we got about the lack of examples in the SRX documentation. That KB was the fastest way for us to publish, but there is meanwhile a much larger effort underway to beef up the formal documentation as well.  Many customers have commented that they'd like to see the equivalent of the C&E (configuration and examples) guide for ScreenOS, so we're using that as the model.

 

When I have the timeline for that I will post an update.

 

-Keith

 

 

Highlighted
SRX Services Gateway

Re: SRX - Juniper still joking ?

‎04-07-2010 06:18 AM

Hi Keith,

 

I can definitely confirm that the ScreenOS manual is extremely well written and any efforts to bring JUNOS docs close to that would be very welcome.

 

Regards,

Dominik

JNCIE et al.

--
The Axiom of Choice is obviously true, the well-ordering principle obviously false, and who can tell about Zorn's lemma?
Highlighted
SRX Services Gateway

Re: SRX - Juniper still joking ?

‎04-07-2010 06:56 AM

Hi @ all,

 

I’ve also seen many improvements in JUNOS ES in the last months, so Kudos to the Juniper Software Engineers! If you don’t have high requirements regarding availability, JUNOS ES could fulfill the requirements.

 

But if you’d have to use the chassis clustering mode, JUNOS ES is currently absolutely not ready for production use! For sure, the cluster is running more stable in comparison to 9.6.r1 (etc), but there are still many (in my opinion) fundamental issues. Some really annoying examples (tested on SRX 240, 10.1R1.8):

 

- If RG0 and RG1 don’t run on the same node, the Webfilter stops forwarding traffic and the AV Engine doesn’t scan any files. Because this, I have to trigger a manual failover for RG0.

- Netflow/Sampling stops exporting flows to external servers.

- Syslog stops exporting data.

- No “official” IP tracking

 

If I would take a closer look, i'm sure to find some more show stoppers Smiley Sad

 

One more thing about the Integrated Convergence Service: Afaik the SRX ICS is a security device so… how could you afford to use version the Asterisk Business Edition (ABE) in version ABE-C2.0.6? If the Juniper engineers haven’t applied some patches, the SRX ICS device could be affected by some serious security flaws. Really… my brain hurts, If I think about Asterisk on a security device Robot surprised !

 

One last word: I really like the SRX Series and I hope it will be a valuable security platform in the (near) future. I also see many improvements in documentation… but Juniper should mention some/many problems before selling these devices.

 

Greetings

 

Tweety

Highlighted
SRX Services Gateway

Re: SRX - Juniper still joking ?

‎04-07-2010 09:05 AM

@Tweety - do you have cases open on these issues? Has JTAC provided PR's?

 

The Asterix question is a good one - rather than bury in this thread would you mind asking again in another post?

 

Thx

 

-Keith

Highlighted
SRX Services Gateway

Re: SRX - Juniper still joking ?

‎04-07-2010 12:55 PM

Hi Keith,

 

i dont have any specific JTAC Cases, but the mentioned issues have been reported to an engineer of my local Juniper Distributor. This person seems to have a comprehensive list of known issues. I really can't image, that the first mentioned flaw is not known by the JTAC.

 

I'll you send more information, concerning asterisk, in a PM.

 

Thanks for your remarkable support

 

Tweety

Highlighted
SRX Services Gateway

Re: SRX - Juniper still joking ?

‎04-08-2010 12:52 PM

I took your advice and opened a JTAC case. I've been sitting on two SRX-650's here for almost 8 months. I'd like to use them in our environment, and replace our SSG-320's, but the feature set that I need isn't there yet. Even if it was, with all the stories I'm reading of devices hanging and crashing, I'm not sure that I would trust it.

 

The number of things that "don't work" in cluster mode is astounding. For a unit that is supposed to eventually support in service upgrades, to require downtime when in cluster mode during a software upgrade is kind of silly. No GRE termination, etc etc. 

 

As an aside if you look in /etc/config on 10.1R1.8 you can see:

srx630-defaults.conf

srx680-defaults.conf

 

Hopefully Juniper will hold off on releasing those units until the SRX650 platform actually works properly. Paying for a support contract doesn't help you configure a device missing features.

 

Highlighted
SRX Services Gateway

Re: SRX - Juniper still joking ?

‎04-09-2010 01:56 AM

Hi there,

 

you are so right. I often sitting in the office and getting grey hairs about problems with Juniper SRXs. Most problems are incompatiblity with other products in ipsec. I am very sad of it. I use the JTAC very often but I have to say that I seldom got I successful closed  ticket. Most of the problems are still there or you have to discuss about features or bug ?!?!

 

I would say in the moment we need 1 guy only to get our 4 SRX on flying. I am very sad of the because our small Funkwerk VPN Router has done everything so well - but it is not compatible with 100 Mbit IPSEC.

 

I agree to you - I do not know why I have to pay support for a BETA test. For example -  we bought AV subscription we where able to use the first time after 6 month because bugs in JUNOS witch cause memory legs or hang ups of the srx.

 

It would be nice to get a acceptable offer from juniper about the lost time for the subscription and generating X of issues in JTAC.

 

br Daniel

Highlighted
SRX Services Gateway

Re: SRX - Juniper still joking ?

‎04-10-2010 08:16 PM

One large challenges that I have not been able to get a clear answer on from JTAC or from Sales channels.

 

How can it be that i can only have 8 nat rules from zone to zone.

 

I understand there are various work around's,  but thats not the point.

 

Don't suppose anyone knows a road map with this will be resolved.

 

I am just hard press to understand how a enterprise class firewall could have such limitations with NAT.

 

Your feedback is welcome.

Feedback