56 Replies Latest reply on Nov 8, 2011 5:00 AM by fcaron

    Juniper Netscreen sub-interfaces?

    kbaumann

      Has anyone else been able to monitor any sub-interfaces on Juniper Netscreen products? I've setup a UDP but that doesn't offer the results we're looking for, not to mention the fact that I have 450 of these to monitor.

      I'm curious whether I'm the only one having this problem, or if this is known limitation with the product.

        • Re: Juniper Netscreen sub-interfaces?
          SamuelB

          kbaumann,

          See the following post for more information as to why this is happening: Problem with Sub-interfaces on Juniper Netscreen (SSG140, SSG550)

          This problem has existed for awhile and is a problem for my devices as well. The UnDP is not sufficient to handle this situation. These subinterfaces need to be supported as if they were Cisco subinterfaces. Can someone from Solarwinds comment on whether there is any chance of this being fixed?

            • Re: Juniper Netscreen sub-interfaces?
              kbaumann

              I opened a support ticket with SolarWinds some time ago (nearly 90 days) and spoke with someone on 6/4 to follow up. They told me that the issue has been escalated to development, but then again, that's what the tech support staff told me two months ago.

              As a long time user, I have been waiting for this issue to be resolved for some time now...since vserion 7x. Back then, the fix was coming in the next release as I recall. Maybe if there are others out there with the same issue, opening a support ticket might garner some much needed attention from the development team and ultimately get this resolved.

                • Re: Juniper Netscreen sub-interfaces?
                  bshopp

                  Is UnDP not working or is it mainly it is just extra work and management and would like to see native support out of the box for this?

                    • Re: Juniper Netscreen sub-interfaces?
                      SamuelB

                      Brandon,

                      The problem is two fold.

                      First of all, the UnDP "works" but seems to be implemented as an afterthought. See my post UnDP Wishlist for my list of improvements that are the minimum requirements really for the UnDP to be truly useful. I can't believe the UnDP has been around as long as it has without these basic improvements. I am actually embarrassed to show people the UnDP when they ask about custom MIB support. 

                      Secondly, the extra work and management wouldn't be a problem if you only think about the adding of the interface to be monitored with the UnDP. However, native support looks a LOT better on the Orion pages/reports/maps/alerts/etc. When you think about the additional time dealing with creating reports, maps and alerts using an interface polled with the UnDP vs. a native supported interface, there is a significant management effort and time difference. The UnDP maturity simply isn't where it needs to be.

                      Please accept my continued criticism of the UnDP as a positive rather than a negative. I have been working with Orion for quite awhile and I think it is a great product. I continue to enjoy supporting this product and recommending this product to my colleagues. I wouldn't even bother continuing to voice my opinion of the shortcomings of the UnDP if a) I didn't know that Solarwinds listens (you do!) and b) I didn't care about this product and seeing it become even better than it is (I do!).

                       

                      Thanks,

                      Samuel

                        • Re: Juniper Netscreen sub-interfaces?
                          bshopp

                          No offense taken at all, we welcome and appreciate the candid feedback.  My main concern was to ensure UnDP was working, although not ideal as you have indicated.  As I am sure you have seen, we just released NPM 9.5 and are currently looking at the large list of items for consideration for the next release and what we can do in there.  While I cannot commit to anything, as Denny indicated in your other thread, we do have these items captured in our tracking system.

                            • Re: Juniper Netscreen sub-interfaces?
                              brian_duvall

                              I have the same issue.  I am using UnDP's to try and monitor them but the ability to build it into the product is by far better. 

                              • Re: Juniper Netscreen sub-interfaces?
                                kbaumann

                                Brandon, I just received a follow up email regarding the case I opened and the ETA to resolve this issue was given as 3rd or 4th quarter of 2010.

                                While having some limited ability to monitor the up/down status of the sub-interfaces is nice, what most of us are really interested in (I believe) is the charting and graphing features that we currently get with the Juniper physical interfaces and Cisco sub-interfaces that are contained within the normal device manager. Our help desk uses this feature extensively when they receive a call from the end users regarding performance or to troubleshoot bandwidth utilization issues.

                                I too think that Orion is a great product, but this has been an issue for us some time now and I'm anxiously waiting for a solution. :-)

                                Ken

                                  • Re: Juniper Netscreen sub-interfaces?
                                    viol8tor

                                    Wow Q3 /Q4 of 2010 for a fix? I like Orion, but not having native support for Juniper devices has been one of my biggest complaints. (Granted, Juniper's support of MIB II is horrific.) Sure, I might only have a couple of hundred or so of these devices in my network, but they are by far one of the more crucial devices that need attention. As much as I appreciate SW adding new features with every upgrade, I believe they would gain more market share if they would support more devices natively. They did a great job with VMWare; I'm sure they could put just as much effort into Juniper devices. 

                                      • Re: Juniper Netscreen sub-interfaces?
                                        bshopp

                                        Not sure where you got Q3/Q4 2010 date.  We are in the planning phase of the next release and this item is logged into the system.  I can't say right now if that will get in or not.

                                          • Re: Juniper Netscreen sub-interfaces?
                                            kbaumann

                                             

                                            From: SolarWinds, Inc. [mailto:support@solarwinds.net]
                                            Sent: Monday, June 08, 2009 10:48 AM
                                            To:
                                            Subject: Case Update: 86075 - Netscreen devices only show physical interfaces

                                             

                                            Update for Case #86075 - "Netscreen devices only show physical interfaces"

                                            Received a reply from development with a ballpark ETA on a fix for this issue. Probably not what you want to hear yet I am only sending you what the development team has forwarded to the support team. Again, your case will be kept open until a resolution is provided.

                                            When the support team receives an update on the development case, you will be notified of it.

                                            #############################

                                            We aren’t going to fix this any time soon. We are in the process of a major overhaul of the poller, and I want to keep it open so that we can address it then, but it’s probably going to be the second half of next year.

                                             


                                            • Re: Juniper Netscreen sub-interfaces?
                                              kbaumann

                                              I've been watching and waiting patiently for some news about this issue, and to date have not heard a thing. Any word on when a fix might be available to allow support of the Juniper Netscreen devices?

                                              TIA,

                                              Ken

                              • Re: Juniper Netscreen sub-interfaces?
                                steve.miller

                                I am going to open my ticket today and reference this thread to the technician. Juniper is a leader in the Network firewall space (Gartner Magic Quadrant March 2010) and a challenger in the LAN environment. I would hope SW understands the need. The Cacti app can pull the sub-interfaces so I'm sure SW can get something in there for us.

                                Steve

                                • Re: Juniper Netscreen sub-interfaces?
                                  jdeal

                                  I just installed 10.1 on a new server from scratch hoping to eliminate any bad config issues from our previous installs and was disapointed to see this Juniper Subinterface/Vlan issue has still not been resolved and that there has been no feedback on this. All our primary WAN sites use Juniper SSG VPN devices and I thought by now they could have this fixed?

                                  Something interesting I wanted to mention on this I noticed one of our sites had a device replaced and the default 192.168.1.1 address on port 0/0 was not removed. even though we are using the subinterfaces 0/0.1 and 0/0.2 and routing those addressees, solarwinds was recording traffic data for the 0/0 interface. We would prefer to be able to see the actuall subinterfaces though so we know if we are running on the primary or secondary vlan, but it's a start.

                                    • Re: Juniper Netscreen sub-interfaces?

                                      I have decided to raise a ticket today for this as it seriously a big issue for us. Our management are considering other products and its not easy for us to justify NPM when it doesn't support our firewalls when other products can. I really hope that someone can actually give a realistic timeframe on this getting fixed or at least an answer that they do not intend to at all.

                                    • Re: Juniper Netscreen sub-interfaces?
                                      aduquette

                                      Same here. Netscreens from SSG5, 20, 140 to SSG520M. I've only been able to come up with charts for the VPN traffic using "nsVpnMonBytesIn" but haven't been too successful on the subinterface side except for indicating whether they're up or not.

                                      This really is a bother for the mapping features which are so successful on the Cisco and HP devices. As a small NOC (2 NetAdmins for 400 devices) we really need to be able to monitor our WAN VPN interconnections with the most precision as possible. Almost all bases are covered with this tool except for the Juniper devices which are a core component for our NMS.

                                      We've been using the NPM for 2 years now and are due for renewal in 8 months. At the aproach of the 3 year mark, we are obligated to create an RFP and get the competition involved. This key piece will be marked as "Mandatory" and if not part, they solarwinds will be eliminated from the RFP if not met.

                                        • Re: Juniper Netscreen sub-interfaces?
                                          fcaron

                                          I will be contacting some of you in this thread, and we'll see how we can be creative.

                                          Tks for the input

                                            • Re: Juniper Netscreen sub-interfaces?
                                              jdeal

                                              As I stated in my last reply I found a bit of a workaround to this. We have sub interfaces such ast eth 0/0.1 and 0/0.2 setup with IP addresses for our ISP link for multiple vlans. I found if you give eth 0/0 a generic ip such as 192.168.xxx.xxx/32 and set it to NAT, it won't affect any traffic or routing, but it does allow you to get proper status, error count and stats on the ports.

                                              We'd still like to be able to monitor the actual sub interfaces for proper statistics though so we can know if we are running on the primary or secondary vlan.

                                          • Re: Juniper Netscreen sub-interfaces?
                                            steve.miller

                                            jdeal - thanks for sharing your workaround. I will be giving that a try in our lab very soon.

                                            Good to see some activity on this issue and hope it will end with a full implementation into NPM.

                                              • Re: Juniper Netscreen sub-interfaces?
                                                kbaumann


                                                Good to see some activity on this issue and hope it will end with a full implementation into NPM.

                                                 



                                                 

                                                Amen to that!!

                                                  • Re: Juniper Netscreen sub-interfaces?
                                                    fcaron

                                                    Tks all,

                                                    I am interested to hear other NPM users chime-in and tell me about this support (lack of), in this thread.

                                                    (16938, SysObjId:44844)

                                                      • Re: Juniper Netscreen sub-interfaces?

                                                        Any update on this?

                                                         

                                                        Thanks 

                                                        • Re: Juniper Netscreen sub-interfaces?
                                                          eugenek1

                                                          I have been using NPM for the past 2 years and as we started throwing our our Cisco ASAs and replacing them with Juniper SSGs, I was shocked to find out that my "great" NPM system does not support subinterfaces on SSGs (I dont care about UDP - its nothing but a workaround). The fact that A.) Juniper SSG is one of the leading firewall products on the market, B.) It has been around for years and C.) You (Solarwinds) had known about this issue for almost 2 years yet refused to fix it is beyond ridiculous. Every one of your competitors has native support for subinterface polling on SSGs and you just dont care. And mind you, we are not talking about you committing thousands of development hours to support some exotic product that is used by 0.0001% of networks out there. No, we are talking about a minor feature (subinterface polling) for a mainstream product from a Tier 1 vendor that has been around for years. And its not like NPM customers have not been asking for it for eternity.

                                                           

                                                          Come on, Solarwinds, get your **** together. Its starting to feel like you are taking advantage of the fact that migrating from one monitoring system to another is a royal PITA and customers would rather tolerate lack of support for core features than migrate to a product that does. To my knowledge, every single software company that used this mentality has ceased to exist.

                                                    • Re: Juniper Netscreen sub-interfaces?
                                                      steve.miller

                                                      Can we get a status update on this request please? I know we seem to be having some forward movement but nothing since Jan 21

                                                      SW Engineers - is there something you require from us to get this moving again? I've had to resort to the free 10 license use of PRTG to get some visuals/values on these Juniper sub-interfaces. Worked right out of the box.

                                                      • Re: Juniper Netscreen sub-interfaces?
                                                        epkmsnn

                                                        We also have a lot of subinterfaces (+300) that we would like to monitor and see correct status on.

                                                        I created #223549 - "Problem with Juniper Networks and Extreme Networks products" for this and was guided to this thread with UDP as a solution which is not good enough.

                                                        /Mats

                                                        • Re: Juniper Netscreen sub-interfaces?
                                                          bfreking

                                                          I also am looking for a way to manage and monitor subinterfaces on Juniper netscreens, we have about 800 of these devices in the field, 5GT's, SSG5's, SSG20's, SSG140's, SSG350's and a few 550's, mainly virtual tunnel interfaces is what I am interested in monitoring, here is what one of my physical netscreens look like in the field:

                                                          Interfaces in vsys Root:
                                                          Name           IP Address                        Zone        MAC            VLAN State VSD     
                                                          eth1           10.243.xx.xx/28                  Work        0014.f699.0ec2    -   U   - 
                                                          eth2           10.161.xx.xx/26                 Home        0014.f699.0ec7    -   U   - 
                                                          eth3           75.50.xx.xx/29                    Untrust     0014.f699.0ec8    -   U   - 
                                                          eth4           64.105.xx.xx/29                  Untrust     0014.f699.0ec1    -   D   - 
                                                          tun.1          10.28.x.xx/24                     Untrust     N/A               -   D   - 
                                                          tun.2          10.28.x.xx/24                     Untrust     N/A               -   U   - 
                                                          tun.5          10.243.xx.xx/24                   Untrust     N/A               -   D   - 
                                                          tun.6          10.243.xx.xx/24                   Untrust     N/A               -   U   - 
                                                          vlan1          0.0.0.0/0                         VLAN        0014.f699.0ecf    1   D   - 
                                                          null           0.0.0.0/0                         Null        N/A               -   U   0 
                                                          chi-91204302-xxxxxxxxx->

                                                          I have no way of creating an alarm for the virtual tunnel interfaces in the UDP to show up in either "DOWN NODES" or in "DOWN INTERFACES" Page resources on NPM.  As of now, I collect SNMP info on all physical interfaces on the actual device and then I  have to build 2 new node as "ICMP" Ping only and ping each E3 and E4 IP external IP address of the netscreen deviceto truly get an UP/DOWN status.  Most of our Juniper netscreens in the field have a Primary Cable Ethernet Internet circuit and a Backup DSL Ethernet Internet circuit.  I also run into the same issue where the Ethernet circuit at my customer sites never truly goes down/down, as an ethernet really only needs power and to be plugged in on both sides to create a "Physical link up" condition.  When will this be repaired?  I thought Solar Winds would have this figured out by now.

                                                          • Re: Juniper Netscreen sub-interfaces?
                                                            DoctorHurt

                                                            We are currently demoing Orion NPM and this is probably the one thing we dislike about the product. I find it strange that tagged subinterfaces on the Juniper firewalls do not show up in Orion out of the box. In fact, I am not even able to get data from the physical port that has subints on it (doesn't even show up on the device when I do a Discovery). I've not figured out if its even possible to tweak Orion and manually add the Netscreen Interfaces MIB so that it can see these sub-interfaces at Discovery time. We manage 100s of Juniper Netscreen and SSG devices for customers and on our corp network and this functionality is important to us.

                                                            • Re: Juniper Netscreen sub-interfaces?
                                                              epkmsnn

                                                              Working for Ericsson and are the sysadmin of a hug test network, We are using ISG-2000 (100 subinterfaces on 4 different VSD Groups + tunnels), SSG520, SSG550, SSG320.

                                                              • Re: Juniper Netscreen sub-interfaces?
                                                                viol8tor

                                                                This post is so old and it's pretty obvious SW is stringing us along.

                                                                That's another irritation I have. Yes, you can use UNDP's to get subinterfaces, tunnels, polices, sessions, rules, traffic, cpu, memory, fan status, power status, slot status, temps - if you are willing to spend the time and effort to dig through all the mibs.  (Just so everyone knows, the traffic info on NetScreens can be flawed, as what flows through the ASICs is not always recorded.)

                                                                It just irritates me that I have to apply 30, sometimes 80 UNDPs to get the info I need.

                                                                Just saying, it would be nice to apply or delete a group of UNDPs all at once.

                                                                It's like that with every single device I add to the system.

                                                                Cisco - hardware, bgp, routes, tcp, udp, ip (and tons of variations.)

                                                                HP Servers - all the SIM related mibs (60+ UNDPs) plus host resources

                                                                NetScreens - interfaces, hardware, tunnels, etc.

                                                                Linux Server, Blue Coats, F5's, blah blah blah... you get the picture.  There isn't a device that I do not apply a group of UNDP's  to. 

                                                                Click, click, click, click...applying each individual UNDP....

                                                                If UNDP's are going to be SW's answer to everything, how about focusing on making it easier to use and the output more along the lines of what is available natively.

                                                                (Don't get me started on auditing the UNDP's... that's another story.)

                                                                -v