Well, I found it by examining the configuration file.
It seems the management had been disabled.
Once enabled, all is fine again.
I have NO idea how it got that way but it's not important now.
↧
Re: Suddenly WEBUI and SSH don't work on SSG-5
↧
PCAP file size limit when running Snoop on ssg550
I'm hitting a limit of 128KB file size on PCAP files that I export using snoop. I need to capture traffic for about 5 minutes and this is limiting me.
Here is my filter:
ssg550-> snoop info
Snoop: ON
Filters Defined: 1, Active Filters 1
Detail: ON, Detail Display length: 1514
Snoop tunnel traffic: ON
Snoop filter based on:
id 1(on): IP ip X.X.X.X dir(B)
ssg550-> get dbuf stream > tftp X.X.X.X NewCapture.pcap
Every single capture file is limited to 128KB if I run the capture for 1 minute or 5 minutes, it just overwrites the beginning of the file. I need the capture in PCAP/Wireshark format as well as see the entire TCP flow which is why I am not just displaying the traffic in the buffer.
Is there any solution?
↧
↧
Re: PCAP file size limit when running Snoop on ssg550
That is the default file size. You can increase it using the command
set db size 4096
Please note that the maximum size is 4MB. Once this limit is reached, the device will override the oldest output. The other option that you have is to put the debug to a flash drive, which will support up to 2G.
Instructions are at: https://kb.juniper.net/InfoCenter/index?page=content&id=KB12277
↧
Re: PCAP file size limit when running Snoop on ssg550
Oh. And wireshark can open the file directly as long as the file starts with a new packet, and it is not tunnel traffic.
↧
Re: SSG140 SNMP over Internet
HI,
Found the solution.
Actually the firewall detects WAN ip not NAT ip, so what i did was configure the host ip with WAN ip.
Thanks for the help, really appreciate it.
rgds.
↧
↧
ssl_error_no_cypher_overlap when trying acess to SSG5
Hello im trying to acces my SSG5 via firefox but i get error message "ssl_error_no_cypher_overlap" what is wrong? Something with FF or SSG5? Please help me
↧
Re: ssl_error_no_cypher_overlap when trying acess to SSG5
Hello,
It seems that FW's default self signed certificate uses RC4 cipher which is not supported by latest browsers.
You try following steps to change the cipher and test:
1.) "set ssl encrypt 3des sha-1" on the firewall to change the cipher used to access the device from RC4_MD5 to 3DES_SHA-1
# If the step one does not work then you can try change the self signed certificate on the device with 3DES as the cipher:
2. Please follow these steps to generate the certificate:
+ Prior to performing this procedure, you have to delete system self-signedcertificate:
# delete pki object-id system
+ Then follow these steps:
+ Define the certificate attributes:
# Objects>certificates>new>fill in the parameters>select key length as 2048 and RSA > generate a self signed certificate
+ After the security device generates a key pair,to learn the ID number for the key pair, use the following command:
# get pki x509 list key-pair
+ Use this local certficate for managing the device
# Configuration>admin>management>in the certificate drop down select this new certificate and select cipher as des or3 des
Please let me know if this works or not.
Regards,
Rishi
↧
adding a vsys upgrade license
Hello,
was just wondering how to add an additional vsys license(upgrade) to a firewall that already has 50 vsys. I have the license which is 50 upgrade to 100 vsys.
what is the process to install the upgrade license without it causing an issue to the existing vsys's? Just inport the new license key?
Thanks.
↧
Re: adding a vsys upgrade license
Hello ,
Please follow the below mentioned Kb article which explains the process of adding the Vsys license keys to the device:
# https://kb.juniper.net/InfoCenter/index?page=content&id=KB5518&actp=search
Afte uploading the device has to be rebooted for license to take effect.
It would not create any issues to your existing vsys. Please accept the solution or mark as Kudos if this resolves your issue.
Regards,
Rishi
↧
↧
Re: adding a vsys upgrade license
Thanks. So for nsrp pair. I would assume do the backup first reboot. then failover do the other then fail back?
Thanks.
↧
Re: adding a vsys upgrade license
Hi,
Yes for the NSRP pair you need to first upload the license on the backup followed by the reboot. Once the license gets successfully installed on backup you need to perform the failover. Once the new master takes over the license has to be installed on the new backup device followed the reboot.
With successful installation perform the failback.
Please refer the below KB article to perform the faiilover and failback in the nsrp cluster:
# https://kb.juniper.net/InfoCenter/index?page=content&id=KB5885&smlogin=true&actp=search
Let me know if you have any further queries.
Regards,
Rishi
↧
Re: adding a vsys upgrade license
Thanks. So we received the vsys license. But its weird. we were never asked the serial number of the devices. for a vsys upgrade from 50 -> 100 do I need to supply the serial number? Is the serial number attached to the license?
↧
Re: adding a vsys upgrade license
Hi,
Generally the licenses are linked by the serial numbers. You can confirm the same by calling our customer care numbers(+1888-314-5822 ,+1 408-745-9500 ) .
Let me know if you face any issue while uploading the licenses.
Regards,
Rishi
↧
↧
Re: adding a vsys upgrade license
For ScreenOS licenses I generally use the online tool.
https://www.juniper.net/lcrs/spgGenerateLicense.do
Select the Firewall/IPSEC VPN option (weird but this is the old designation for the ScreenOS devices)
Then add the serial number and the code provided by your reseller.
↧
ssg 5 vlan sub int dhcp
Hello,
i have a ssg5 Version 6.3.0 and try to get a dhcp address from a taged sub int.
config:
eth0/4 0.0.0.0/0 NUll
eth0/4.1 192.168.20.1/24 zone 3 tag 3
eth0/4.1 dhcp service server (gw 192.168.20.1 255.255.255.0) lease 1 day
eth0/4.1 dhcp list : type dynamic from 192.168.20.10 - 192.168.20.100
when i connect my notebook with port eth0/4 i receive no ip adress.
--------------
i tried the dhcp configuration with eth0/4 and it worked, but i need to go with sub int because i need to tag it with vlan 3.
any suggestions?
thanks!
↧
Re: ssg 5 vlan sub int dhcp
Your config looks correct but you test will not work. Your laptop is not able to process tagged traffic. You would need to test with the equipment that can recognize a vlan tag as destined for the device.
↧
Re: ssg 5 vlan sub int dhcp
Hi Kc,
I do agree with Steve that laptop's NIC wont be able to understand VLAN which is causing this issue.
Can you please let us know the requirement of VLAN tag even when there is no switch in the path and there is direct connection?
This would help us suggest you a better solution.
Regards,
RIshi
↧
↧
Re: ssg 5 vlan sub int dhcp
hi,
thanks for your quick respone.
the goal is, to seperate guest and internal wifi.
hardware setup : cisco wap321 poe -> cisco 200-50p -> ssg5 eth0/4 -> ISP Router
i`m trying to get for our guest wifi (vlan 3 tag) ip adresses via ssg5 sub int.
we`re using a cisco wap321 with 2 ssid`s - vlan 1 internal and vlan 3 guest - connected to a cisco 200-50p with default vlan 1 and vlan 3 for guest - connectet to ssg5 port eth4.
Regards,
chris
↧
Re: ssg 5 vlan sub int dhcp
Thanks for the clarification on the scenario. I have setup a similar operation in the past to Cisco WAP using the tagged interface. This is a sample configuration that worked for the DHCP server in that setup. Just change the interfaces and addresses per your needs.
set interface ethernet0/6.1 tag 3 zone "guest" set interface ethernet0/6.1 ip 172.16.1.1/24 set interface ethernet0/6.1 route set interface ethernet0/6.1 ip manageable set interface ethernet0/6.1 manage ping set interface ethernet0/6.1 manage snmp set interface ethernet0/6.1 dhcp server service set interface ethernet0/6.1 dhcp server auto set interface ethernet0/6.1 dhcp server option lease 1440 set interface ethernet0/6.1 dhcp server option gateway 172.16.1.1 set interface ethernet0/6.1 dhcp server option netmask 255.255.255.0 set interface ethernet0/6.1 dhcp server option dns1 8.8.8.78 set interface ethernet0/6.1 dhcp server option dns2 8.8.4.4 unset interface ethernet0/6.1 dhcp server config next-server-ip unset interface ethernet0/6.1 dhcp server config updatable
↧
Re: ssg 5 vlan sub int dhcp
thanks i`ll try it asap:
sgg5 configuration looks like this now:
ethernet0/4 - 0.0.0.0/0 Null Unused Up
ethernet0/4.1 3 172.16.1.1/24 zone3 Layer3 Up
dhcp range 172.16.1.20 - 172.16.1.100
Regards
ps. it is working now so far - another question:
i made a policy zone3 to untrust allow any any but i cannot get out into internet..
↧