INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Jobs

The perfect storm NSM and SRX240 Cluster

The perfect storm NSM and SRX240 Cluster

(OP)
We've had NetScreen OS type firewalls for about 5 years now, SSG520, NS25, NS140, and ISG cluster. The NS OS is stable and NSM is an easy way to fully manage our enterprise.  We even run NSM on a VMware server and it runs just fine.  NSM is the way to go if you have more than a couple of Juniper firewalls; it looks very much like a Checkpoint interface, how coincidental.
This spring we were ready to add a new data center and we decided to go with the SRX 240 in a clustered environment. It appeared that Juniper was moving toward a Junos OS ( FreeBSD) and we wanted to try it out.  We received our SRX's in March, 2010.  First  thing we noticed was there is virtually NO NSM documentation covering a SRX240 Cluster (or any SRX cluster).  That's why when we went to tech support finally we noticed they seamed to be all over the board trying to find information, but could not.
After many hours on the phone with NSM and SRX support we were able to get the NSM server to communicate with the SRX cluster. Clustering requires a separate subnet for the Management interfaces.  Also required documentation was only available internally to support staff.  NSM support did not have any idea how to do this. Be aware if you start out with 16 Ethernet ports after cluster you only have 13 for data, three are sacrificed for the cluster, an ISG cluster only needs one "HA" port sacrificed.
On each SRX one of the three ports is a management port, except that only the NSM server can use the interfaces, you cannot setup ssh, telnet, http or https on the interface to manage each device individually.
 You can setup the reth (redundant ethernet) to respond to ssh, telnet, http and https but only the primary node will respond to the remote client.  This is really great when it is time to upgrade the cluster, it guarantees down time.  You can find other comments about this on the forums.
 We spent a long time with NSM staff asking how to setup a new interface and build a policy using NSM. There is no NSM documentation concerning managing a SRX cluster that we or they could find.   Know one at the NSM group has any idea how to do this from scratch.  Only by getting the SRX group involved, using CLI, could any progress be made on the clustered environment.  By watching what is happening on the CLI I and then going through the various NSM web screens I was able to figure out a way to create Interfaces, Zones, Reths, Services and Routes.  Weeks later I have made a walkthrough with screen shots for my staff so that we can do all this from NSM, 30 pages of notes  We have yet to tackle NATs, DIP's, MIP's and VPN's, which we will need soon.
   When the cluster was finally up we found that it would not send logs from the cluster to the NSM server.  This is a known problem between NSM and SRX supposed to be fixed in a later release.  So then we needed to upgrade the NSM schema and the SRX to 10.1R2.8.  NSM support helped us with the upgrade, they upgraded the primary SRX unit which broke the cluster and then they turned us over to the SRX group to upgrade the secondary unit. Hours later when both units were upgraded we got most of the logs but not all, the log file is missing "rule #" and "policy #".  We have had a ticket in with NSM and SRX support for a week now without a solution provided.
By July 2010 we still do not have a working cluster that I would trust in production.  Knowing what I know now we would have never purchased the SRX cluster, another lesson learned.  I would have never have believed support would be so bad on a product.  Key words: Lemon, crap, junk, trouble, failure, fail and lousy NSM and SRX service. Get a cluster and try it for yourself.
 

RE: The perfect storm NSM and SRX240 Cluster

thank you for your comments.  We've had major issues with our SRX cluster too.  We're at the point of ripping the lot our and going back to SSG or ISG

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members!

Resources

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close