technology, networking and IP telephony
Posts tagged Juniper
Juniper SRX JUNOS Software Upgrade 10.1R1.8
Apr 20th
We recently purchased two Juniper SRX 650s to replace our aging Nortel VPN Routers (formerly Contivity Extranet Switches). We finally have both gateways/routers/firewalls racked and connected to the network and we started working our way through the JUNOS configuration and command line interface. The SRX650 we received from our reseller came with 10.0R8 so we decided to upgrade them to 10.1R1.8 based on some feedback we had received from Juniper concerning the slow response from the Web GUI while evaluating the SRX platform a few months ago.
You can find the release notes for JUNOS 10.1 on the Juniper website.
We started by placing the software (junos-srxsme-10.1R1.8-domestic.tgz) on an internal web server (10.1.20.1).
The upgrade itself took at least 5 minutes and the reboot took at least another 5 minutes, you definitely need to be patient when upgrading the SRX. It took a really long time compared to anything else I’ve upgraded in the past.
root> request system software add http://10.1.20.1/junos-srxsme-10.1R1.8-domestic.tgz reboot /var/tmp/incoming-package.1145 1500 kB 1500 kBps Package contains junos-10.1R1.8.tgz ; renaming ... NOTICE: Validating configuration against junos-10.1R1.8.tgz. NOTICE: Use the 'no-validate' option to skip this if desired. Formatting alternate root (/dev/ad0s2a)... /dev/ad0s2a: 631.0MB (1292236 sectors) block size 16384, fragment size 2048 using 4 cylinder groups of 157.75MB, 10096 blks, 20224 inodes. super-block backups (for fsck -b #) at: 32, 323104, 646176, 969248 ** /dev/altroot FILE SYSTEM CLEAN; SKIPPING CHECKS clean, 317928 free (24 frags, 39738 blocks, 0.0% fragmentation) Checking compatibility with configuration Initializing... Verified manifest signed by PackageProduction_10_0_0 Verified junos-10.0R1.8-domestic signed by PackageProduction_10_0_0 Using junos-10.1R1.8-domestic from /altroot/cf/packages/install-tmp/junos-10.1R1.8-domestic Copying package ... Saving boot file package in /var/sw/pkg/junos-boot-srxsme-10.1R1.8.tgz veriexec: cannot update veriexec for /cf/var/validate/chroot/junos/etc/voip/musiconhold.conf: No such file or directory Verified manifest signed by PackageProduction_10_1_0 Hardware Database regeneration succeeded Validating against /config/juniper.conf.gz cp: /cf/var/validate/chroot/var/etc/resolv.conf and /etc/resolv.conf are identical (not copied). cp: /cf/var/validate/chroot/var/etc/hosts and /etc/hosts are identical (not copied). Port based Network Access Control: rtslib: ERROR kernel does not support all messages: expected 95 got 94,a reboot or software upgrade may be required Port based Network Access Control: Port based Network Access Control: rtslib: WARNING version mismatch for msg gencfg: expected 104 got 103,a reboot or software upgrade may be required Port based Network Access Control: Port based Network Access Control: rtslib: WARNING version mismatch for msg gencfg-stats: expected 104 got 103,a reboot or software upgrade may be required Port based Network Access Control: Port based Network Access Control: rtslib: WARNING version mismatch for msg fc fabric: expected 97 got 84,a reboot or software upgrade may be required Port based Network Access Control: Port based Network Access Control: rtslib: ERROR kernel does not support all messages: expected 95 got 94,a reboot or software upgrade may be required Port based Network Access Control: Port based Network Access Control: rtslib: WARNING version mismatch for msg gencfg: expected 104 got 103,a reboot or software upgrade may be required Port based Network Access Control: Port based Network Access Control: rtslib: WARNING version mismatch for msg gencfg-stats: expected 104 got 103,a reboot or software upgrade may be required Port based Network Access Control: Port based Network Access Control: rtslib: WARNING version mismatch for msg fc fabric: expected 97 got 0,a reboot or software upgrade may be required Port based Network Access Control: Port based Network Access Control: rtslib: ERROR IDL IDR Decode Error -1(Garbled Message) Link Layer Discovery Protocol: rtslib: ERROR kernel does not support all messages: expected 95 got 94,a reboot or software upgrade may be required Link Layer Discovery Protocol: Link Layer Discovery Protocol: rtslib: WARNING version mismatch for msg gencfg: expected 104 got 103,a reboot or software upgrade may be required Link Layer Discovery Protocol: Link Layer Discovery Protocol: rtslib: WARNING version mismatch for msg gencfg-stats: expected 104 got 103,a reboot or software upgrade may be required Link Layer Discovery Protocol: Link Layer Discovery Protocol: rtslib: WARNING version mismatch for msg fc fabric: expected 97 got 0,a reboot or software upgrade may be required Link Layer Discovery Protocol: mgd: commit complete Validation succeeded Installing package '/altroot/cf/packages/install-tmp/junos-10.1R1.8-domestic' ... Verified junos-boot-srxsme-10.1R1.8.tgz signed by PackageProduction_10_1_0 Verified junos-srxsme-10.1R1.8-domestic signed by PackageProduction_10_1_0 Saving boot file package in /var/sw/pkg/junos-boot-srxsme-10.1R1.8.tgz JUNOS 10.1R1.8 will become active at next reboot Saving package file in /var/sw/pkg/junos-10.1R1.8 ... cp: /altroot/cf/packages/install-tmp/junos-10.1R1.8-domestic is a directory (not copied). Saving state for rollback ... Rebooting ... shutdown: [pid 1888] Shutdown NOW! *** FINAL System shutdown message from root@ *** System going down IMMEDIATELY
I hope to post some additional information as we move forward with the Juniper SRX platform.
Cheers!
Juniper SSL VPN Secure Access 6.5R2 Available – Windows 7
Dec 10th
Juniper has released a new version of software for their SSL VPN (Secure Access) appliances. The new release, 6.5R2, hopefully corrects all the issues and heartache that 6.5R1 brought to Juniper’s customers. I won’t rehash the issues that we discovered in 6.5R1, if you haven’t heard about them you can go read the earlier posts on the subject;
- Juniper SSL VPN Secure Access 6.5 Available
- Norton 360 and Juniper SSL VPN WSAM
- Juniper SSL VPN Upgrade – Client Software
- Juniper SSL VPN Appliance and Windows Vista 64-Bit
I will be testing 6.5R2 on a spare SA4000 appliance (waiting for an evaluation license key from Juniper) and will share my results with everyone here.
You can find the release notes for 6.5R2 here.
Windows 7
When will Juniper Network’s SSL VPN (SA platform/IVE OS) support Microsoft’s Windows 7 OS as a supported client platform? You can refer to Juniper knowledge base article, KB13195.
Juniper states that “Microsoft Windows 7 is qualified” (not supported) on 6.5R2 and there should be no major issues aside from the know caveats/issues.
Known Issues/Caveats:
* All client components:
- 1. Unable to install (or) launch client component using IE8 (64 bit). This is expected as IE8 (64 bit) browser is not supported. Please use IE8 (32 bit) to avoid this issue. (470316)
* EndPoint Integrity:
- When using IE 8 on 64-bit Windows 7 the reason string is not available when a patch assessment policy fails. (485421)
* Secure Virtual Workspace (SVW):
- When opening a file with Windows Photo Viewer inside SVW, the file is shown on the real desktop rather than inside the SVW session. (447409)
- On Windows 7, saving a MS Office 2003 file inside SVW fails. (486104)
- On Windows 7, Control Panel is accessible inside SVW even if it is disabled under application to allow list. (486104)
* WSAM:
- If Kaspersky Anti-Virus Version 2009 (8.0.0.506) is installed on a Windows 7 (OR) Windows Vista computer, WSAM will not be able to intercept and secure traffic. This issue is not seen with older versions of Kaspersky Anti-Virus (434715).
Cheers!
Update: January 6, 2009
I should point out that I’ve discovered that JSAM will not launch properly with Windows 7 (64-bit) when running 6.5R1 software. I initially thought it might have something to-do with the 32-bit/64-bit versions of Internet Explorer or the 32-bit/64-bit versions of the Java Runtime Environment. I tested the same machine today with 6.5R2 and it worked fine using the 32-bit version of Internet Explorer. I didn’t try the 64-bit version of Internet Explorer. So it would appear the problem is resolved in 6.5R2 software, please see the forums for additional details.
Which branch office VPN solution?
Nov 20th
I’m looking to replace the two aging Nortel 1700 VPN Routers (formerly Contivity). These VPN routers provide branch office tunnels to our remote offices, vendors and business affiliates. We utilize two VPN routers which are geographically disperse and connected to different tier 1 Internet Service Providers. This allows us to provide high availability and redundancy when used in conjunction with OSPF routing.
I’ve essentially boiled my options down to two possible solutions (vendors);
Juniper SRX 240
Cisco ASA 5550
So which do I choose and how to best evaluate the different products. The primary purpose of the device is to provide branch office IPSec tunnels. The product needs to support OSPF and it needs some limited support for Multicast over VPN.
This morning I was lucky enough to have one of our preferred vendors, who just happens to be a Juniper reseller, come on site and help setup 2 Juniper SRX 210 gateways for us to demo. I’ve never worked with a Junos based product and while the web based GUI was fairly straightforward the CLI interface is going to take some time to get use to. It’s not like Cisco, or Nortel or Brocade, or Blade Technologies. Thankfully I did find a quick start guide that helped get my feet wet with Junos.
Once I’m done with the Juniper SRX I’ll need to turn my attention to the Cisco ASA (Tom you know what I’ll be calling for soon – demo time).
I’ll post a summary once I have some thoughts about the Juniper SRX. Anyone care to comment regarding either the Juniper SRX or the Cisco ASA as it pertains to branch office VPN tunnels? As a note I’m already migrating our Nortel VPN end-users to our Juniper SSL VPN Secure Access 4000 appliances.
Cheers!
Norton 360 and Juniper SSL VPN WSAM
Oct 2nd
Update: Thursday, October 8, 2009 I decided to rewrite this post to include all the information I’ve accumulated while troubleshooting the issues I’ve encountered deploying software release 6.5R1 for my organization. I can’t tell you how valuable it is to have access to a virtual machine with snapshot capability while testing all the different possible anti-virus, anti-spyware, and security software that’s out there in the wild with Juniper’s Windows Secure Application Manager. Since Juniper has yet to really release any useful information I thought I would add some additional notes to this post around the different software products that I’ve discovered can interfere with Juniper’s Windows Secure Application Manager (WSAM) client software.
If you’re a regular follower you know that we recently upgraded our Juniper Secure Access 4000 SSL VPN appliances from 6.2R1 to 6.5R1. You also know that we discovered that the old Juniper Installer Service from 6.2R1 is unable to upgrade the Juniper software components for non-Administrator users. You’ll need to manually install the Juniper Installer Service if your users are non-Administrators of the local computer they work on.
Norton 360, Norton Internet Security, Norton AntiVirus 2010
We’ve been successful in duplicating customer reported issues between Norton 360 or Norton Internet Security or Norton AntiVirus 2010 and Juniper’s Windows Secure Application Manager (WSAM). Windows XP users running any of the above Norton products will generally experience a blue screen of death crash (IRQL_NOT_LESS_OR_EQUAL) when clicking on a bookmark that relies on the WSAM client. Windows Vista users running any of the above Norton products will generally hang the machine (only after the first reboot from the time the product was installed) when launching the WSAM client software upon logging into the Juniper appliance. As a side note to this problem, users running Norton 360 (v3.0.0.135) do not experience this problem, only users running Norton 360 (v3.5.2.11). Juniper Technical Assistance Center (JTAC) has acknowledged that a problem exists and is working to release 6.5R2 in November 2009 to address the problems with Norton.
Symantec AntiVirus v10.x
Users running Symantec Corporate Edition AntiVirus v10.0, v10.2 experience intermittent local name resolution issues from DNS, WINS and local NetBIOS name broadcasts while the WSAM client software is running. The name resolution issues are not present when WSAM is not running. A possible workaround is to create static HOST entries in the local HOSTS file (C:\Windows\System32\drivers\etc\hosts). JTAC has acknowledged that a problem exists, I’m still waiting for additional information from JTAC.
ESET NOD32 Smart Security 4 and Antivirus 4
The testing in our lab has shown varied results. In some instances the latest and greatest release of NOD32 appears to work fine with WSAM. The later versions of NOD32 appear to add exceptions for the Juniper software components in the advanced configuration section under ‘Web Access Protection’. Older versions of NOD32 appear to block WSAM from communicating with the Juniper Secure Access Appliances even though the application indicates that it’s ‘Connected’. In our testing we did find that JSAM and NC both appeared to function properly with the latest version of ESET NOD32 installed. We’ve implemented a workaround for our customers using JSAM and that appears to be working for our users.
Check Point ZoneAlarm Security Suite
We’ve been able to re-create this problem and also have a ticket open with JTAC. We’ve tried adding exceptions and making IP addresses ‘trusted’ in Check Point’s language. We’ve been completely unsuccessful in getting this product to work with WSAM. The symptoms are identical to NOD32, where the WSAM application launches successfully and indicates that it’s ‘Connected’ but your unable to connect to any WSAM applications. In our testing we did find that JSAM and NC both appeared to function properly with ZoneAlarm installed. I have a support ticket open with JTAC but I haven’t received any feedback yet. We’ve implemented a workaround for our customers using JSAM.
I also learned from a user that Spybot Search & Destroy has a feature that can ‘lock’ the local host file on a computer preventing Java Secure Application Manager (JSAM) from operating properly.
Anyone else having any issues of findings they care to share?
Loading ...
RECENT COMMENTS