Solved

Juniper Firewalls - Dying or getting Bricked?

Posted on 2013-10-22
12
566 Views
Last Modified: 2014-05-21
Anyone experience issues with Juniper Firewalls being particularly sensitive hardware to power variations?  (brownouts, blackouts, spikes)  Presumably we have lost a couple of Juniper firewalls due to power surges, EVEN THOUGH the devices are on enterprise grade UPS. When power resumed, our firewalls did not, everything else was just peachy.

We've had several power outages and have lost multiple Juniper Firewalls even though they were on high-grade UPS backup battery and high-end power backup generation equipment. No other hardware, out of thousands of PCs, 60+ switches, wifi access points or other hardware, were effected by the power outages\surges.

I'm interested in hearing your experiences with Juniper hardware and it's sensitivity to power variations. Thanks
0
Comment
Question by:JohnArmstrong
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 3
  • +1
12 Comments
 
LVL 95

Expert Comment

by:John Hurst
ID: 39593657
I have Juniper Netscreen firewalls at clients and I have only had one failure. It was on a UPS. It was also five or six years old. I have had the others in place from 3 to 10 years and generally I find them to be reliable devices.

Separately, I have had other brands of routers fail as a result of power outages or variations.

... Thinkpads_User
0
 
LVL 57

Expert Comment

by:giltjr
ID: 39593739
It would be nice to have a little clarification.

You state that you have "high-grade UPS backup battery and high-end power backup generation equipment"

Yet you also stated:

"When power resumed, our firewalls did not, everything else was just peachy."

That implies that they lost power when you lost building power and so they went down and when building power was restored they would not power up.

SO, did they lose power and go down when you lost building power?  If so, why?  If they did not, then what do you mean that statement.
0
 
LVL 64

Expert Comment

by:btan
ID: 39594226
actually it can be due to many factor, doubt it is specifically on the FW itself since it is supposed to be EMC Emissions, EMC Immunity, ETSI tested and certified. They also have fuse as per norm std.  In almost guide, they all recommend using a surge protector for the power connection. Not specific to Juniper only.

 Indeed for running datacenter, you cannot rely on the device native protection  but also need to ensure the correct DC or AC loading and all socket is grounded and have surge protector switches...I do see the other external factor being the culprit and even FW is of such military robust grade but more of standard security certified and safety certified as in all security appliance...they have fuse
0
Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

 
LVL 1

Author Comment

by:JohnArmstrong
ID: 39595583
giltjr, thanks for your post. Yea I misspoke, when they power outage occurs, the UPS is there to cover the hardware during the couple of seconds before the generator kicks in and fires up. The hardware was dead when the power outage occured, so I don't know if it was due to a spike at the time of the outage (which the grounded outlet and UPS should have trapped anyway) or the switchover to batter or the switchover to generator or the switchover back to the grid when power was restored to the buildings.  I know that as a rule of thumb, generators can create spikes which is why you want your hardware on a UPS because they provide additional power filtering in addition to keeping the hardware alive until the diesel generator kicks in.
0
 
LVL 95

Expert Comment

by:John Hurst
ID: 39595602
Power spikes can kill router equipment. I have had that happen, albeit not with Juniper. Perhaps get a small true UPS supply for your network gear so there is no outage at all during a switchover.

... Thinkpads_User
0
 
LVL 57

Expert Comment

by:giltjr
ID: 39596096
How old is the UPS?  How often do you think you get power spikes?

What type of PDU's do you have?

Devices that are designed to absorb power spikes can actually "wear" out and allow spikes through.
0
 
LVL 1

Author Comment

by:JohnArmstrong
ID: 39945726
The UPS is new, 3 months?  In all environments where I've encountered this the UPS have been newer than 12 months.  I wonder if it's occuring when the device is trying to boot up and there's another blip in the power during boot-up cycle. Maybe Juniper doesn't like having it's boot cycle interupted?
0
 
LVL 95

Expert Comment

by:John Hurst
ID: 39945772
If your UPS was protecting the gear, then it may just be a failure of the device. That happens.

I assume when you say UPS, you mean Uninterruptible Power Supply (you said enterprise grade UPS). These are devices that feed the gear from filtered battery supply and use AC to charge the batteries. Such devices are immune to ordinary power surges and blips.

So given the above, it does not appear to be a power issue and probably just failures of the gear. As I noted above, I had one such failure; otherwise Juniper gear is very robust.
0
 
LVL 64

Accepted Solution

by:
btan earned 500 total points
ID: 39946652
pretty tough to say it is UPS issue as it is supposed to be robust and pass each defensive maintenance check at least bi-annual or adhoc check. typically if building has surge before, never assume the ups or equipment is ok but have it verified again - trust but verify.

also pwoer info of FW can be gotten from SNMP for monitoring e.g. To monitor the description and status of the power supply, the following OIDs can be used:

.1.3.6.1.4.1.3224.21.1.1.1 (.*) - A 32-bit integer that uniquely identifies the power supply
ID.
.1.3.6.1.4.1.3224.21.1.1.2 (.*) - A 32-bit integer that uniquely identifies the power supply module's status: 0 - Fail, 1 - Good
.1.3.6.1.4.1.3224.21.1.1.3 (.*)  - A description for the power supply module.

there should be dual supply possible but overall we need to consider the BTU as well as if the air con goes down the overall DC get heatup pretty fast and device failing will be even faster even if we have ups...

How can I tell what the BTU's are for Juniper firewall devices?
First confirm if the BTU is posted in the Firewall/IPSec VPN Specifications and Datasheets.  If it is not posted, a conversion of Watts to BTU is done as follows:
Kilowatt /hour (1000 watts)  = 3,413 BTU/ hour
Watts/hour  = 3.413 BUT/hour
Watts x 3.413 = BTU
The datasheets publish the watt specifications, so the BTU can be calculated using the above formula.

For example:
The NetScreen-204 and NetScreen-208 normal working status or average power consumption is roughly 30 Watts. The AC power supply output capacity is 45 Watts. Peak consumption and current on boot up is 20 A Max at 120 VAC, and 40 A Max at 240 VAC.

45 watts = 154 BTU         (45 watts x 3.413 = 154 BTU)
30 watts = 102 BTU         (30 watts x 3.413 = 102 BTU)
20 watts =  68  BTU         (20 watts x 3.413 = 68 BTU)

normal = 102.39 BTU max = 153.585 BTU, using 30 Watts and 45 Watts respectfully.  
This is based on published watt specifications from the Juniper datasheet for the device.
0
 
LVL 1

Author Comment

by:JohnArmstrong
ID: 40081811
Breadtran, a wealth of info, thank you.  I like the idea of monitoring the firewall's power supply with SNMP, but we get dinged for SNMP when we have it running because there are many potential vulnerabilities and now there are amplification attacks that can be utilized with SNMP.  John Hurst, thanks for feedback but your a bit off course when you say UPS are immune from ordinary power surges and blips. OMG! I can tell you have how many UPS I have seen misbehave and\or die from ordinary brown outs, surges or spikes.  This is simply not the case and anyone that's had a few years exposure to working with UPS will tell you so, they do not behave predictably under any circumstances.
0
 
LVL 64

Expert Comment

by:btan
ID: 40082291
thanks for sharing
0
 
LVL 95

Expert Comment

by:John Hurst
ID: 40082295
John Hurst, thanks for feedback but your a bit off course when you say UPS are immune from ordinary power surges and blips.

I am pleased your problem is solved. However I have never in my life seen a commercial UPS pass spikes through the isolated battery supply that powers gear. So that is why I answered the way I did.
0

Featured Post

The Ultimate Checklist to Optimize Your Website

Websites are getting bigger and complicated by the day. Video, images, custom fonts are all great for showcasing your product/service. But the price to pay in terms of reduced page load times and ultimately, decreased sales, can lead to some difficult decisions about what to cut.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
There is a lot to be said for protecting yourself and your accounts with 2 factor authentication.  I found to my own chagrin, that there is a big downside as well.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

729 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question