[j-nsp] JUNOS 10.4S6 for EX8200 - PR/676826

[Richard A Steenbergen]

On Thu, Sep 01, 2011 at 11:48:36AM -0400, Paul Stewart wrote:
> Actually I'm curious as well - RAS is not typically wrong though about 
> this kind of stuff ;)
> 
> We have numerous SRX deployed for firewall and router functionality - 
> some are running Dynamic VPN (which yes, we've had issues with - 
> definitely it's not perfect).  We've been bitten by some surprises as 
> well ... so I'm not disagreeing, just saying that we're pretty used to 
> these issues we've encountered and don't deploy if we know they will 
> come up. Typically, we use them as site to site VPN boxes along with 
> firewalling.
> 
> I have an SRX210 at my home as well - run the full UTM suite on it and 
> had no real issues (granted it's a home environment to be fair).
> 
> RAS, can you share a few highlights of "broken"?

Just doing simple routing and IPSec tunnels, and we're talking every 
random little thing you can possibly imagine, across about a dozen 
different versions of code and a lot of time hoping it would get better. 
I still have to reboot the thing once every few weeks just to keep the 
packets forwarding.

The most insane thing I saw was when trying to use BGP to originate a 
/24 over my IPSec tunnels, you couldn't keep the sessions up for more 
than ~24 hours without restarting rpd. I've had to disable just about 
every feature to keep things even "mostly" working, for example the last 
time I tried to configure IPv6 on a gre tunnel it would sometimes 
randomly not configure ANY IPs on the interface when it would boot. You 
could "show int terse gr-#/#/#" and they just wouldn't be there, no 
matter what the config was, etc. I'd have more reliable internet at home 
if I had a Linksys. :)

-- 
Richard A Steenbergen <ras at e-gerbil.net>       http://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)