technology, networking and IP telephony
Posts tagged Juniper
Juniper SRX JUNOS Software Upgrade 10.1R1.8
5April 20, 2010
We recently purchased two Juniper SRX 650s to replace our aging Nortel VPN Routers (formerly Contivity Extranet Switches). We finally have both gateways/routers/firewalls racked and connected to the network and we started working our way through the JUNOS configuration and command line interface. The SRX650 we received from our reseller came with 10.0R8 so we decided to upgrade them to 10.1R1.8 based on some feedback we had received from Juniper concerning the slow response from the Web GUI while evaluating the SRX platform a few months ago.
You can find the release notes for JUNOS 10.1 on the Juniper website.
We started by placing the software (junos-srxsme-10.1R1.8-domestic.tgz) on an internal web server (10.1.20.1).
The upgrade itself took at least 5 minutes and the reboot took at least another 5 minutes, you definitely need to be patient when upgrading the SRX. It took a really long time compared to anything else I’ve upgraded in the past.
root> request system software add http://10.1.20.1/junos-srxsme-10.1R1.8-domestic.tgz reboot /var/tmp/incoming-package.1145 1500 kB 1500 kBps Package contains junos-10.1R1.8.tgz ; renaming ... NOTICE: Validating configuration against junos-10.1R1.8.tgz. NOTICE: Use the 'no-validate' option to skip this if desired. Formatting alternate root (/dev/ad0s2a)... /dev/ad0s2a: 631.0MB (1292236 sectors) block size 16384, fragment size 2048 using 4 cylinder groups of 157.75MB, 10096 blks, 20224 inodes. super-block backups (for fsck -b #) at: 32, 323104, 646176, 969248 ** /dev/altroot FILE SYSTEM CLEAN; SKIPPING CHECKS clean, 317928 free (24 frags, 39738 blocks, 0.0% fragmentation) Checking compatibility with configuration Initializing... Verified manifest signed by PackageProduction_10_0_0 Verified junos-10.0R1.8-domestic signed by PackageProduction_10_0_0 Using junos-10.1R1.8-domestic from /altroot/cf/packages/install-tmp/junos-10.1R1.8-domestic Copying package ... Saving boot file package in /var/sw/pkg/junos-boot-srxsme-10.1R1.8.tgz veriexec: cannot update veriexec for /cf/var/validate/chroot/junos/etc/voip/musiconhold.conf: No such file or directory Verified manifest signed by PackageProduction_10_1_0 Hardware Database regeneration succeeded Validating against /config/juniper.conf.gz cp: /cf/var/validate/chroot/var/etc/resolv.conf and /etc/resolv.conf are identical (not copied). cp: /cf/var/validate/chroot/var/etc/hosts and /etc/hosts are identical (not copied). Port based Network Access Control: rtslib: ERROR kernel does not support all messages: expected 95 got 94,a reboot or software upgrade may be required Port based Network Access Control: Port based Network Access Control: rtslib: WARNING version mismatch for msg gencfg: expected 104 got 103,a reboot or software upgrade may be required Port based Network Access Control: Port based Network Access Control: rtslib: WARNING version mismatch for msg gencfg-stats: expected 104 got 103,a reboot or software upgrade may be required Port based Network Access Control: Port based Network Access Control: rtslib: WARNING version mismatch for msg fc fabric: expected 97 got 84,a reboot or software upgrade may be required Port based Network Access Control: Port based Network Access Control: rtslib: ERROR kernel does not support all messages: expected 95 got 94,a reboot or software upgrade may be required Port based Network Access Control: Port based Network Access Control: rtslib: WARNING version mismatch for msg gencfg: expected 104 got 103,a reboot or software upgrade may be required Port based Network Access Control: Port based Network Access Control: rtslib: WARNING version mismatch for msg gencfg-stats: expected 104 got 103,a reboot or software upgrade may be required Port based Network Access Control: Port based Network Access Control: rtslib: WARNING version mismatch for msg fc fabric: expected 97 got 0,a reboot or software upgrade may be required Port based Network Access Control: Port based Network Access Control: rtslib: ERROR IDL IDR Decode Error -1(Garbled Message) Link Layer Discovery Protocol: rtslib: ERROR kernel does not support all messages: expected 95 got 94,a reboot or software upgrade may be required Link Layer Discovery Protocol: Link Layer Discovery Protocol: rtslib: WARNING version mismatch for msg gencfg: expected 104 got 103,a reboot or software upgrade may be required Link Layer Discovery Protocol: Link Layer Discovery Protocol: rtslib: WARNING version mismatch for msg gencfg-stats: expected 104 got 103,a reboot or software upgrade may be required Link Layer Discovery Protocol: Link Layer Discovery Protocol: rtslib: WARNING version mismatch for msg fc fabric: expected 97 got 0,a reboot or software upgrade may be required Link Layer Discovery Protocol: mgd: commit complete Validation succeeded Installing package '/altroot/cf/packages/install-tmp/junos-10.1R1.8-domestic' ... Verified junos-boot-srxsme-10.1R1.8.tgz signed by PackageProduction_10_1_0 Verified junos-srxsme-10.1R1.8-domestic signed by PackageProduction_10_1_0 Saving boot file package in /var/sw/pkg/junos-boot-srxsme-10.1R1.8.tgz JUNOS 10.1R1.8 will become active at next reboot Saving package file in /var/sw/pkg/junos-10.1R1.8 ... cp: /altroot/cf/packages/install-tmp/junos-10.1R1.8-domestic is a directory (not copied). Saving state for rollback ... Rebooting ... shutdown: [pid 1888] Shutdown NOW! *** FINAL System shutdown message from root@ *** System going down IMMEDIATELY
I hope to post some additional information as we move forward with the Juniper SRX platform.
Cheers!
Juniper SSL VPN Secure Access 6.5R2 Available – Windows 7
10December 10, 2009
by Michael McNamara in Juniper
Juniper has released a new version of software for their SSL VPN (Secure Access) appliances. The new release, 6.5R2, hopefully corrects all the issues and heartache that 6.5R1 brought to Juniper’s customers. I won’t rehash the issues that we discovered in 6.5R1, if you haven’t heard about them you can go read the earlier posts on the subject;
- Juniper SSL VPN Secure Access 6.5 Available
- Norton 360 and Juniper SSL VPN WSAM
- Juniper SSL VPN Upgrade – Client Software
- Juniper SSL VPN Appliance and Windows Vista 64-Bit
I will be testing 6.5R2 on a spare SA4000 appliance (waiting for an evaluation license key from Juniper) and will share my results with everyone here.
You can find the release notes for 6.5R2 here.
Windows 7
When will Juniper Network’s SSL VPN (SA platform/IVE OS) support Microsoft’s Windows 7 OS as a supported client platform? You can refer to Juniper knowledge base article, KB13195.
Juniper states that “Microsoft Windows 7 is qualified” (not supported) on 6.5R2 and there should be no major issues aside from the know caveats/issues.
Known Issues/Caveats:
* All client components:
- 1. Unable to install (or) launch client component using IE8 (64 bit). This is expected as IE8 (64 bit) browser is not supported. Please use IE8 (32 bit) to avoid this issue. (470316)
* EndPoint Integrity:
- When using IE 8 on 64-bit Windows 7 the reason string is not available when a patch assessment policy fails. (485421)
* Secure Virtual Workspace (SVW):
- When opening a file with Windows Photo Viewer inside SVW, the file is shown on the real desktop rather than inside the SVW session. (447409)
- On Windows 7, saving a MS Office 2003 file inside SVW fails. (486104)
- On Windows 7, Control Panel is accessible inside SVW even if it is disabled under application to allow list. (486104)
* WSAM:
- If Kaspersky Anti-Virus Version 2009 (8.0.0.506) is installed on a Windows 7 (OR) Windows Vista computer, WSAM will not be able to intercept and secure traffic. This issue is not seen with older versions of Kaspersky Anti-Virus (434715).
Cheers!
Update: January 6, 2009
I should point out that I’ve discovered that JSAM will not launch properly with Windows 7 (64-bit) when running 6.5R1 software. I initially thought it might have something to-do with the 32-bit/64-bit versions of Internet Explorer or the 32-bit/64-bit versions of the Java Runtime Environment. I tested the same machine today with 6.5R2 and it worked fine using the 32-bit version of Internet Explorer. I didn’t try the 64-bit version of Internet Explorer. So it would appear the problem is resolved in 6.5R2 software, please see the forums for additional details.
Which branch office VPN solution?
6November 20, 2009
I’m looking to replace the two aging Nortel 1700 VPN Routers (formerly Contivity). These VPN routers provide branch office tunnels to our remote offices, vendors and business affiliates. We utilize two VPN routers which are geographically disperse and connected to different tier 1 Internet Service Providers. This allows us to provide high availability and redundancy when used in conjunction with OSPF routing.
I’ve essentially boiled my options down to two possible solutions (vendors);
Juniper SRX 240
Cisco ASA 5550
So which do I choose and how to best evaluate the different products. The primary purpose of the device is to provide branch office IPSec tunnels. The product needs to support OSPF and it needs some limited support for Multicast over VPN.
This morning I was lucky enough to have one of our preferred vendors, who just happens to be a Juniper reseller, come on site and help setup 2 Juniper SRX 210 gateways for us to demo. I’ve never worked with a Junos based product and while the web based GUI was fairly straightforward the CLI interface is going to take some time to get use to. It’s not like Cisco, or Nortel or Brocade, or Blade Technologies. Thankfully I did find a quick start guide that helped get my feet wet with Junos.
Once I’m done with the Juniper SRX I’ll need to turn my attention to the Cisco ASA (Tom you know what I’ll be calling for soon – demo time).
I’ll post a summary once I have some thoughts about the Juniper SRX. Anyone care to comment regarding either the Juniper SRX or the Cisco ASA as it pertains to branch office VPN tunnels? As a note I’m already migrating our Nortel VPN end-users to our Juniper SSL VPN Secure Access 4000 appliances.
Cheers!
