I was bitten by a similar issue when I deployed a couple of J2350s at our edge.
On 4/11/12 2:33 PM, Carl Rosevear wrote: > Yeah, I have to apply the term "awful" and "annoying" to the packet > mode implementation on SRX/J-series. Anyway, I spent *hours* with JTAC > on the phone trying to get the thing to just pass packets. Best part > was, I didn't know how to do it and nor did they! I escalated, worked > with many engineers. My key statement was "I just want my router to > route. Make it do what it is supposed to do. No session tracking! > This is not a firewall." So, now it doesn't require valid sessions to > pass packets but it does still appear to *track* sessions in some > tables and I am, of course, very curious when some attack vector will > fill up some table. > > Anyway, not the best devices for an edge router that is for sure. > Which is too bad... for very small DC edge applications, the J6350 > was a pretty cool router in earlier versions of JunOS that didn't > decide to re-engineer your network and transit for you. > > Anyway I digress. But this had, in the past, been a frustrating > enough issue for me that I had to share. > > > --Carl > > > > On Tue, Apr 10, 2012 at 6:30 PM, Owen DeLong <o...@delong.com> wrote: >> On Apr 10, 2012, at 6:02 PM, Mark Kamichoff wrote: >> >>> On Tue, Apr 10, 2012 at 11:57:31AM -0700, Owen DeLong wrote: >>>>> The fact that you can't put it into flow mode. >>>> s/flow/packet/ >>>> (oops, wasn't awake yet) >>> Actually, this is possible: >>> >>> prox@asgard> show configuration security >>> forwarding-options { >>> family { >>> inet6 { >>> mode packet-based; >>> } >>> mpls { >>> mode packet-based; >>> } >>> } >>> } >>> >>> The above is from an SRX210B, but the same configuration will work on >>> any J-series or /branch/ SRX-series platform. >>> >> Right, sort of. To the extent that it works. It doesn't actually do >> everything you >> think it should, and, it's somewhat dependent on the version of JunOS as to >> how well it does or doesn't work. >> >>> Don't let the "mpls" keyword throw you off. This actually causes the >>> box to run the inet /and/ mpls address families in packet mode. >>> >> I'm not unfamiliar or uninitiated in this regard. I had tickets with Juniper >> for >> over a year and it escalated quite high up their escalation chain before they >> finally admitted "Yeah, Services JunOS is different and it behaves >> differently >> and if you need to do what you're trying to do, you should buy an M or MX >> series." >> >> It's quite unfortunate. I'd really like for the SRX series to not be so >> crippled for >> my purposes. >> >> Owen >> >> > >