Solved

Juniper Firewalls - Dying or getting Bricked?

Posted on 2013-10-22
12
528 Views
Last Modified: 2014-05-21
Anyone experience issues with Juniper Firewalls being particularly sensitive hardware to power variations?  (brownouts, blackouts, spikes)  Presumably we have lost a couple of Juniper firewalls due to power surges, EVEN THOUGH the devices are on enterprise grade UPS. When power resumed, our firewalls did not, everything else was just peachy.

We've had several power outages and have lost multiple Juniper Firewalls even though they were on high-grade UPS backup battery and high-end power backup generation equipment. No other hardware, out of thousands of PCs, 60+ switches, wifi access points or other hardware, were effected by the power outages\surges.

I'm interested in hearing your experiences with Juniper hardware and it's sensitivity to power variations. Thanks
0
Comment
Question by:JohnArmstrong
  • 4
  • 3
  • 3
  • +1
12 Comments
 
LVL 90

Expert Comment

by:John Hurst
ID: 39593657
I have Juniper Netscreen firewalls at clients and I have only had one failure. It was on a UPS. It was also five or six years old. I have had the others in place from 3 to 10 years and generally I find them to be reliable devices.

Separately, I have had other brands of routers fail as a result of power outages or variations.

... Thinkpads_User
0
 
LVL 57

Expert Comment

by:giltjr
ID: 39593739
It would be nice to have a little clarification.

You state that you have "high-grade UPS backup battery and high-end power backup generation equipment"

Yet you also stated:

"When power resumed, our firewalls did not, everything else was just peachy."

That implies that they lost power when you lost building power and so they went down and when building power was restored they would not power up.

SO, did they lose power and go down when you lost building power?  If so, why?  If they did not, then what do you mean that statement.
0
 
LVL 61

Expert Comment

by:btan
ID: 39594226
actually it can be due to many factor, doubt it is specifically on the FW itself since it is supposed to be EMC Emissions, EMC Immunity, ETSI tested and certified. They also have fuse as per norm std.  In almost guide, they all recommend using a surge protector for the power connection. Not specific to Juniper only.

 Indeed for running datacenter, you cannot rely on the device native protection  but also need to ensure the correct DC or AC loading and all socket is grounded and have surge protector switches...I do see the other external factor being the culprit and even FW is of such military robust grade but more of standard security certified and safety certified as in all security appliance...they have fuse
0
 
LVL 1

Author Comment

by:JohnArmstrong
ID: 39595583
giltjr, thanks for your post. Yea I misspoke, when they power outage occurs, the UPS is there to cover the hardware during the couple of seconds before the generator kicks in and fires up. The hardware was dead when the power outage occured, so I don't know if it was due to a spike at the time of the outage (which the grounded outlet and UPS should have trapped anyway) or the switchover to batter or the switchover to generator or the switchover back to the grid when power was restored to the buildings.  I know that as a rule of thumb, generators can create spikes which is why you want your hardware on a UPS because they provide additional power filtering in addition to keeping the hardware alive until the diesel generator kicks in.
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 39595602
Power spikes can kill router equipment. I have had that happen, albeit not with Juniper. Perhaps get a small true UPS supply for your network gear so there is no outage at all during a switchover.

... Thinkpads_User
0
 
LVL 57

Expert Comment

by:giltjr
ID: 39596096
How old is the UPS?  How often do you think you get power spikes?

What type of PDU's do you have?

Devices that are designed to absorb power spikes can actually "wear" out and allow spikes through.
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 1

Author Comment

by:JohnArmstrong
ID: 39945726
The UPS is new, 3 months?  In all environments where I've encountered this the UPS have been newer than 12 months.  I wonder if it's occuring when the device is trying to boot up and there's another blip in the power during boot-up cycle. Maybe Juniper doesn't like having it's boot cycle interupted?
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 39945772
If your UPS was protecting the gear, then it may just be a failure of the device. That happens.

I assume when you say UPS, you mean Uninterruptible Power Supply (you said enterprise grade UPS). These are devices that feed the gear from filtered battery supply and use AC to charge the batteries. Such devices are immune to ordinary power surges and blips.

So given the above, it does not appear to be a power issue and probably just failures of the gear. As I noted above, I had one such failure; otherwise Juniper gear is very robust.
0
 
LVL 61

Accepted Solution

by:
btan earned 500 total points
ID: 39946652
pretty tough to say it is UPS issue as it is supposed to be robust and pass each defensive maintenance check at least bi-annual or adhoc check. typically if building has surge before, never assume the ups or equipment is ok but have it verified again - trust but verify.

also pwoer info of FW can be gotten from SNMP for monitoring e.g. To monitor the description and status of the power supply, the following OIDs can be used:

.1.3.6.1.4.1.3224.21.1.1.1 (.*) - A 32-bit integer that uniquely identifies the power supply
ID.
.1.3.6.1.4.1.3224.21.1.1.2 (.*) - A 32-bit integer that uniquely identifies the power supply module's status: 0 - Fail, 1 - Good
.1.3.6.1.4.1.3224.21.1.1.3 (.*)  - A description for the power supply module.

there should be dual supply possible but overall we need to consider the BTU as well as if the air con goes down the overall DC get heatup pretty fast and device failing will be even faster even if we have ups...

How can I tell what the BTU's are for Juniper firewall devices?
First confirm if the BTU is posted in the Firewall/IPSec VPN Specifications and Datasheets.  If it is not posted, a conversion of Watts to BTU is done as follows:
Kilowatt /hour (1000 watts)  = 3,413 BTU/ hour
Watts/hour  = 3.413 BUT/hour
Watts x 3.413 = BTU
The datasheets publish the watt specifications, so the BTU can be calculated using the above formula.

For example:
The NetScreen-204 and NetScreen-208 normal working status or average power consumption is roughly 30 Watts. The AC power supply output capacity is 45 Watts. Peak consumption and current on boot up is 20 A Max at 120 VAC, and 40 A Max at 240 VAC.

45 watts = 154 BTU         (45 watts x 3.413 = 154 BTU)
30 watts = 102 BTU         (30 watts x 3.413 = 102 BTU)
20 watts =  68  BTU         (20 watts x 3.413 = 68 BTU)

normal = 102.39 BTU max = 153.585 BTU, using 30 Watts and 45 Watts respectfully.  
This is based on published watt specifications from the Juniper datasheet for the device.
0
 
LVL 1

Author Comment

by:JohnArmstrong
ID: 40081811
Breadtran, a wealth of info, thank you.  I like the idea of monitoring the firewall's power supply with SNMP, but we get dinged for SNMP when we have it running because there are many potential vulnerabilities and now there are amplification attacks that can be utilized with SNMP.  John Hurst, thanks for feedback but your a bit off course when you say UPS are immune from ordinary power surges and blips. OMG! I can tell you have how many UPS I have seen misbehave and\or die from ordinary brown outs, surges or spikes.  This is simply not the case and anyone that's had a few years exposure to working with UPS will tell you so, they do not behave predictably under any circumstances.
0
 
LVL 61

Expert Comment

by:btan
ID: 40082291
thanks for sharing
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 40082295
John Hurst, thanks for feedback but your a bit off course when you say UPS are immune from ordinary power surges and blips.

I am pleased your problem is solved. However I have never in my life seen a commercial UPS pass spikes through the isolated battery supply that powers gear. So that is why I answered the way I did.
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Cisco 2960 PACL 9 37
Firewall Appliance 3 35
Cisco ASA -- weird connection issue 6 48
Palo Alto Networks Global Protect 2 52
Many companies are looking to get out of the datacenter business and to services like Microsoft Azure to provide Infrastructure as a Service (IaaS) solutions for legacy client server workloads, rather than continuing to make capital investments in h…
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now