Quantcast
Channel: All ScreenOS Firewalls (NOT SRX) posts
Viewing all 2577 articles
Browse latest View live

SSG 5 Firewall to Firewall VPN

November 9, 2016, 2:56 pm
$
0
0

I have 2 building connected Router to Router thru 10MB Internet. Both are SSG 5 device running same OS. The VPN is working, but I am seeing issue with performance. The WAN has Domain Authentication to WINDOWS Server 2012. I am able to login, but getting to desktop takes a bit longer then it should to load. 

 

I have run pings from both sides of the Routers. Ping to DMZ is clean, from bothe locations. Ping to inside LAN, from both locations is good. However, if I run a ping from LAN to LAN, performance is full of peaks and valleys and even having lost packets.

 

I am a bit new to this type on connection so, I am not sure if this is typical of a router to router VPN. I would sure like to get this smoothed out.

 

Any help would be greatly appreciated.

 

Thanks,

 

Edd

Search

Re: SSG 5 Firewall to Firewall VPN

November 9, 2016, 9:20 pm
$
0
0

Hi Edd,

Please answer the below mentioned queries for better understading of the issue:

+ Are you able to observe the spikes or drops when you initiate the Ping from egress interface to FW1 to egress interface of FW2 which is connected to 10Mbps line?
+ What is the result when ping is initiated from ingress interface of FW1 to ingress interface of FW2?
+ Have you tested if the communication between Domain Authentication to WINDOWS Server 2012 works fine without the VPN?
+ Check if the all interfaces are configured to full duplex by the command : get int <interface name> and also the switch ports are configured to full duplex or not ?
+ Are you able to observe any VPN flaps or interface flaps in the <get event> ?
+ What are CPU levels on the firewall by the command : get perf cpu all detail ?
+ Can you try change encryption algorithm to DES and check if the performance gets improved or not?

 

Regards,
Rishi

Re: SSG140 Different Interface Routing and VLANs

November 10, 2016, 6:12 pm
$
0
0

You are welcome Paul.. glad I could help! Smiley Happy

who can help me to analyse the session information below

November 11, 2016, 2:12 am
$
0
0

 

Total 3 sessions according filtering criteria.
id 221406/s**,vsys 0,flag 08000040/0000/0001/0000,policy 88,time 180, dip 0 module 0
 if 5(nspflag 801801):a.a.a.a/18001->c.c.c.c/3868,6,00005e000102,sess token 4,vlan 0,tun 0,vsd 0,route 133,wsf 0
 if 0(nspflag 801800):a.a.a.a/18001<-c.c.c.c/3868,6,549f350fc44c,sess token 3,vlan 0,tun 0,vsd 0,route 1,wsf 0
id 223116/s**,vsys 0,flag 08000040/0000/0001/0000,policy 88,time 180, dip 0 module 0
 if 5(nspflag 801801):b.b.b.b/18001->c.c.c.c/3868,6,00005e000102,sess token 4,vlan 0,tun 0,vsd 0,route 133,wsf 0
 if 0(nspflag 801800):b.b.b.b/18001<-c.c.c.c/3868,6,549f350fc44c,sess token 3,vlan 0,tun 0,vsd 0,route 1,wsf 0
id 254224/s**,vsys 0,flag 08000040/0000/0001/0000,policy 88,time 178, dip 0 module 0

could this two session can tell  us does firewall receive reply from c.c.c.c , does the firewall forward packet from c.c.c.c to outgoing interface . if cannot confirm with this two session. how can i confirm those information 

 

Re: L2TP over IPsec to Microsoft RRAS

November 11, 2016, 12:41 pm
$
0
0

Many thanks for your response. I've got it working but I'd like to verify my config and potentially help someone else.

 

I have my untrust (public) interface on e0/0. My ISP gave me a block of IPs on /29.

For example, my interface IP is 100.1.1.2/29. My NAT DST will be used with 100.1.1.3. The internal server IP will be 192.168.1.100.

 

Setup ARP:

set interface ethernet0/0 proxy-arp-entry 100.1.1.3

Add address:

set address untrust server-pub 100.1.1.3/32

Policy to allow IKE:

set policy from untrust to untrust any server-pub IKE nat dst ip 192.168.1.100 permit

Policy to deny any other traffic:

set policy from untrust to untrust any server-pub any nat dst ip 192.168.1.100 deny

 

Seems simple enough. Does that look legit?

Re: who can help me to analyse the session information below

November 12, 2016, 10:51 am
$
0
0

The session view does not have any byte counters to tell if there is actually traffic in either direction.

 

But if you use the web interface and go to the polices view.  Turn on logging for the policy.

 

In the policy logs, there is a byte counter for both ingress and egress for each session that gets logged.

Re: L2TP over IPsec to Microsoft RRAS

November 12, 2016, 10:53 am

ECMP

November 13, 2016, 7:12 am
$
0
0

hi:
kindly could you please help me
I have a juniper ssg550,I have configured 4 lines on it with ecmp and i configure 75 policy based vpn.

I want to add 5th line and i know that the max for ecmp is 4
 
so is there any work arround
Search

Re: ECMP

November 13, 2016, 9:37 am

Re: ECMP

November 14, 2016, 3:00 am
$
0
0

Perhaps you can re-structure your 5 paths into two virtual routers with 2 in one and 3 in the other.

 

then have your downstream setup in a third VR that has ECMP up to the other two.  

 

This will not pefectly distribute to the 5 but perhaps give you a better utillization spread than any other option I can think of.  Unfortunately it is a little complicated.

Re: SSG 5 Firewall to Firewall VPN

November 15, 2016, 12:19 pm
$
0
0

Risha,

 

Thank You for this info and sorry it has been this long to respond. I am bit green on terminology. I am attaching a small PDF to show a "mock" layout of the VPN. Perhaps the PING of ingress/egress could be labeled to ensure I am gathering the correct info.

 

 

Ed

Re: SSG 5 Firewall to Firewall VPN

November 15, 2016, 3:07 pm
$
0
0

+ Are you able to observe the spikes or drops when you initiate the Ping from egress interface to FW1 to egress interface of FW2 which is connected to 10Mbps line?---- I am getting good, solid PING from egress to FW1 and same with egress to FW2. Clean no latency or dropped packets


+ What is the result when ping is initiated from ingress interface of FW1 to ingress interface of FW2? ---- I get “NO SUCCESS”. This is when tried from CLI.


+ Have you tested if the communication between Domain Authentication to WINDOWS Server 2012 works fine without the VPN? ------   Domain Authentication works well. No errors or lag.


+ Check if the all interfaces are configured to full duplex by the command : get int <interface name> and also the switch ports are configured to full duplex or not ? ----   Full Duplex on both Firewall and SWITCHES


+ Are you able to observe any VPN flaps or interface flaps in the <get event> ? -------   I am not seeing any VPN Flap.


+ What are CPU levels on the firewall by the command : get perf cpu all detail ? ----- Average System Utilization is 1%


+ Can you try change encryption algorithm to DES and check if the performance gets improved or not? ---- This will be difficult as I am sole IT and the buildings are located about 45 minutes from each other. Won’t the switch from 3DES to DES disrupt the VPN connection?

Re: Forward public ip to device directly attached to ssg interface

November 15, 2016, 11:38 pm
$
0
0

Itisthe simplestand best solution !

thanks

 

renato

Re: SSG 5 Firewall to Firewall VPN

November 16, 2016, 1:32 am
$
0
0

I would recommend you to make the changes to the existing setup during the MW because any change will disrupt the VPN.

Based on your answers I would suggest you to raise a JTAC case as this will require some real time troubleshooting on the FW .

 

Regards,

Rishi

Re: ECMP

November 16, 2016, 11:10 pm
Search

Web Filtering Can't Work

November 16, 2016, 11:25 pm
$
0
0

I have been update license web filtering on juniper ssg 5, and then i have been configuration but the result still not implement.

 This is Step By Step for my configuration

1. Object --> User --> Local --> User (exapmple)

2. Object --> User --> local group --> Group-user (example)

3. Policy --> Policy element --> Address List --> Untrust --> IP (192.168.172.0/32) example

4. Policy --> Policy element --> address --> List --> Trust --> any (0.0.0.0)

5. Policy --> Polciy element --> address --> Group --> Untrust (Group-Block) Example

6. Security --> web filtering--> categories --> Customs --> Blacklist, Whitelist (example)

7. Security --> web filtering-->profile-->customs-->ns-block (example) --> blacklist (block) -->whitelist (permit)

8. Security-->web filtering-->protocol-->integrated(sufrcontrol)SC-CPA

9.Policy-->policies-->source address(Any)-->destination address(group-Block)-->service(HTTP)-->webfiltering(check)-->action(Deny).

After configuration on above, web filtering still can't work. exapmle (blacklist-->www.facebook.com) still can access. not blocked.

Thank you 

Aris

Re: ECMP

November 16, 2016, 11:25 pm
$
0
0

Thank you my dear Spuluka,

It was  very helpfull,

I test it in my enviroment and I will use it in production after two days.

Re: Web Filtering Can't Work

November 17, 2016, 2:33 am

Re: ECMP

November 17, 2016, 4:11 am
$
0
0

Hi Spuluka,

Thank you for cooperation,

Could you please Advise me What is the best design to load share the traffic with different bandwidth ( 20M and 8M and 2M ,...) ?

SSG140 SNMP over Internet

November 17, 2016, 4:20 am
$
0
0
Hi,

I've been trying to configure Snmp on ssg140 over public/Internet to monitor on SolarWinds server.

Got this message on ssg 'SNMP request from an unknown SNMP community aaa at X.X.X.X:xxxx has been received.'
But SolarWinds server failed to poll anything from the router, seems the request not thru or the router not allows the request.
Is it possible to do this over Internet? Or did I miss something?
Any help would be appreciated.
Thanks.
Viewing all 2577 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>