On 11 Apr 2012, at 18:36, "Carl Rosevear" <crosev...@skytap.com> wrote:
> Yeah, I have to apply the term "awful" and "annoying" to the packet > mode implementation on SRX/J-series. Anyway, I spent *hours* with JTAC > on the phone trying to get the thing to just pass packets. Best part > was, I didn't know how to do it and nor did they! I escalated, worked > with many engineers. My key statement was "I just want my router to > route. Make it do what it is supposed to do. No session tracking! > This is not a firewall." So, now it doesn't require valid sessions to > pass packets but it does still appear to *track* sessions in some > tables and I am, of course, very curious when some attack vector will > fill up some table. > I have had some rather odd issues with the SRX boxes but JTAC were pretty good at turning around fixes for me for my specific issues. Since then I have had quite a lot of SRX boxes across the range running various MPLS services including MPLS over GRE with fragmentation/reassembly which has been working very well. Since 11.1R3 I've had no issues at all with them. So yeah the new flow mode stuff had its issues, but as a *small* MPLS box it is very functional. Of course in MPLS mode, you turn the flow stuff off.. -- Leigh Porter ______________________________________________________________________ This email has been scanned by the Symantec Email Security.cloud service. For more information please visit http://www.symanteccloud.com ______________________________________________________________________