Solved

Juniper Firewalls - Dying or getting Bricked?

Posted on 2013-10-22
12
546 Views
Last Modified: 2014-05-21
Anyone experience issues with Juniper Firewalls being particularly sensitive hardware to power variations?  (brownouts, blackouts, spikes)  Presumably we have lost a couple of Juniper firewalls due to power surges, EVEN THOUGH the devices are on enterprise grade UPS. When power resumed, our firewalls did not, everything else was just peachy.

We've had several power outages and have lost multiple Juniper Firewalls even though they were on high-grade UPS backup battery and high-end power backup generation equipment. No other hardware, out of thousands of PCs, 60+ switches, wifi access points or other hardware, were effected by the power outages\surges.

I'm interested in hearing your experiences with Juniper hardware and it's sensitivity to power variations. Thanks
0
Comment
Question by:JohnArmstrong
  • 4
  • 3
  • 3
  • +1
12 Comments
 
LVL 93

Expert Comment

by:John Hurst
ID: 39593657
I have Juniper Netscreen firewalls at clients and I have only had one failure. It was on a UPS. It was also five or six years old. I have had the others in place from 3 to 10 years and generally I find them to be reliable devices.

Separately, I have had other brands of routers fail as a result of power outages or variations.

... Thinkpads_User
0
 
LVL 57

Expert Comment

by:giltjr
ID: 39593739
It would be nice to have a little clarification.

You state that you have "high-grade UPS backup battery and high-end power backup generation equipment"

Yet you also stated:

"When power resumed, our firewalls did not, everything else was just peachy."

That implies that they lost power when you lost building power and so they went down and when building power was restored they would not power up.

SO, did they lose power and go down when you lost building power?  If so, why?  If they did not, then what do you mean that statement.
0
 
LVL 63

Expert Comment

by:btan
ID: 39594226
actually it can be due to many factor, doubt it is specifically on the FW itself since it is supposed to be EMC Emissions, EMC Immunity, ETSI tested and certified. They also have fuse as per norm std.  In almost guide, they all recommend using a surge protector for the power connection. Not specific to Juniper only.

 Indeed for running datacenter, you cannot rely on the device native protection  but also need to ensure the correct DC or AC loading and all socket is grounded and have surge protector switches...I do see the other external factor being the culprit and even FW is of such military robust grade but more of standard security certified and safety certified as in all security appliance...they have fuse
0
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

 
LVL 1

Author Comment

by:JohnArmstrong
ID: 39595583
giltjr, thanks for your post. Yea I misspoke, when they power outage occurs, the UPS is there to cover the hardware during the couple of seconds before the generator kicks in and fires up. The hardware was dead when the power outage occured, so I don't know if it was due to a spike at the time of the outage (which the grounded outlet and UPS should have trapped anyway) or the switchover to batter or the switchover to generator or the switchover back to the grid when power was restored to the buildings.  I know that as a rule of thumb, generators can create spikes which is why you want your hardware on a UPS because they provide additional power filtering in addition to keeping the hardware alive until the diesel generator kicks in.
0
 
LVL 93

Expert Comment

by:John Hurst
ID: 39595602
Power spikes can kill router equipment. I have had that happen, albeit not with Juniper. Perhaps get a small true UPS supply for your network gear so there is no outage at all during a switchover.

... Thinkpads_User
0
 
LVL 57

Expert Comment

by:giltjr
ID: 39596096
How old is the UPS?  How often do you think you get power spikes?

What type of PDU's do you have?

Devices that are designed to absorb power spikes can actually "wear" out and allow spikes through.
0
 
LVL 1

Author Comment

by:JohnArmstrong
ID: 39945726
The UPS is new, 3 months?  In all environments where I've encountered this the UPS have been newer than 12 months.  I wonder if it's occuring when the device is trying to boot up and there's another blip in the power during boot-up cycle. Maybe Juniper doesn't like having it's boot cycle interupted?
0
 
LVL 93

Expert Comment

by:John Hurst
ID: 39945772
If your UPS was protecting the gear, then it may just be a failure of the device. That happens.

I assume when you say UPS, you mean Uninterruptible Power Supply (you said enterprise grade UPS). These are devices that feed the gear from filtered battery supply and use AC to charge the batteries. Such devices are immune to ordinary power surges and blips.

So given the above, it does not appear to be a power issue and probably just failures of the gear. As I noted above, I had one such failure; otherwise Juniper gear is very robust.
0
 
LVL 63

Accepted Solution

by:
btan earned 500 total points
ID: 39946652
pretty tough to say it is UPS issue as it is supposed to be robust and pass each defensive maintenance check at least bi-annual or adhoc check. typically if building has surge before, never assume the ups or equipment is ok but have it verified again - trust but verify.

also pwoer info of FW can be gotten from SNMP for monitoring e.g. To monitor the description and status of the power supply, the following OIDs can be used:

.1.3.6.1.4.1.3224.21.1.1.1 (.*) - A 32-bit integer that uniquely identifies the power supply
ID.
.1.3.6.1.4.1.3224.21.1.1.2 (.*) - A 32-bit integer that uniquely identifies the power supply module's status: 0 - Fail, 1 - Good
.1.3.6.1.4.1.3224.21.1.1.3 (.*)  - A description for the power supply module.

there should be dual supply possible but overall we need to consider the BTU as well as if the air con goes down the overall DC get heatup pretty fast and device failing will be even faster even if we have ups...

How can I tell what the BTU's are for Juniper firewall devices?
First confirm if the BTU is posted in the Firewall/IPSec VPN Specifications and Datasheets.  If it is not posted, a conversion of Watts to BTU is done as follows:
Kilowatt /hour (1000 watts)  = 3,413 BTU/ hour
Watts/hour  = 3.413 BUT/hour
Watts x 3.413 = BTU
The datasheets publish the watt specifications, so the BTU can be calculated using the above formula.

For example:
The NetScreen-204 and NetScreen-208 normal working status or average power consumption is roughly 30 Watts. The AC power supply output capacity is 45 Watts. Peak consumption and current on boot up is 20 A Max at 120 VAC, and 40 A Max at 240 VAC.

45 watts = 154 BTU         (45 watts x 3.413 = 154 BTU)
30 watts = 102 BTU         (30 watts x 3.413 = 102 BTU)
20 watts =  68  BTU         (20 watts x 3.413 = 68 BTU)

normal = 102.39 BTU max = 153.585 BTU, using 30 Watts and 45 Watts respectfully.  
This is based on published watt specifications from the Juniper datasheet for the device.
0
 
LVL 1

Author Comment

by:JohnArmstrong
ID: 40081811
Breadtran, a wealth of info, thank you.  I like the idea of monitoring the firewall's power supply with SNMP, but we get dinged for SNMP when we have it running because there are many potential vulnerabilities and now there are amplification attacks that can be utilized with SNMP.  John Hurst, thanks for feedback but your a bit off course when you say UPS are immune from ordinary power surges and blips. OMG! I can tell you have how many UPS I have seen misbehave and\or die from ordinary brown outs, surges or spikes.  This is simply not the case and anyone that's had a few years exposure to working with UPS will tell you so, they do not behave predictably under any circumstances.
0
 
LVL 63

Expert Comment

by:btan
ID: 40082291
thanks for sharing
0
 
LVL 93

Expert Comment

by:John Hurst
ID: 40082295
John Hurst, thanks for feedback but your a bit off course when you say UPS are immune from ordinary power surges and blips.

I am pleased your problem is solved. However I have never in my life seen a commercial UPS pass spikes through the isolated battery supply that powers gear. So that is why I answered the way I did.
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

If you thought ransomware was bad, think again! Doxware has the potential to be even more damaging.
February 24, 2017 — On February 23, Travis Ormandy, a vulnerability researcher at Google, reported on Twitter (https://twitter.com/taviso/status/834900838837411840) that massive stores of data have been leaked by CloudFlare, a company that provide…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question