Hi
I'm trying to monitor the number of active sessions through the firewall which is fine using nsResSessAllocate for physical gateways but strugging to find a way to do it on a per-VSYS level?
↧
ScreenOS VSYS session count via SNMP
↧
Re: ScreenOS VSYS session count via SNMP
There is not a MIB to pull for the active sessions in a VSYS.
↧
↧
Re: SSG 5 - get VIP to look for route in Untrust-vr
Hi
I found this in the "Concepts & Examples ScreenOS Reference Guide" bottom part page 1452 in the all parts pdf:
"The host to which the security device maps VIP traffic must be reachable from the trust-vr. If the host is in a routing domain other than that of the trust-vr, you must define a route to reach it."
I guess that means that it will alwas try to find a route in trust-vr first. Then i need to route the traffic back to untrust-vr to make the traffic find its way.
Do you guys agree with that conclusion?
Anyway it works now after adding a route with next hop untrust-vr for 10.238.135.227/32.
↧
Re: SSG 5 - get VIP to look for route in Untrust-vr
That makes sense, as the VIP is a global object. It's been a while since I've done anything with VIPs.
↧
Re: nat incoming source with MIP (ScreenOS)
It sounds like you need both the remote network to have NAT for you and the remote side also has an overlap with your server network and needs to NAT as well.
If that is the case then the NAT must occur on both your side and the remote side of the tunnel where you each do a full replacement for the connection to work. This is the screenOS example showing both sides.
file:///Users/stevepuluka/Downloads/ScreenOS_VPN_with_Overlapping_Subnets.pdf
↧
↧
Does not load OS
I have a juniper ssg-550m that has all the led in red minus the power led.
At all times the led remains, I do not recognize the console cable.
Can somebody help me?
↧
Re: Does not load OS
This is a hardware issue (RAM failure). You would need to RMA the device.
↧
Re: Does not load OS
This is the cabling pin out for the RJ45 to DB9 cable needed for the console cable. Juniper devices ship with a 9pin adapter with the rj45 on the other end. They are the same pin out as the blue cisco cables if you have any of those around.
https://kb.juniper.net/InfoCenter/index?page=content&id=KB4066
Once connected the output during the boot process should give some information on the nature of the problem.
↧
Re: Does not load OS
This is a hardware failure based on the status lights. The console will not display anything. You can either open a JTAC case for an RMA or replace the RAM.
↧
↧
Strange Latency Issue Netscreen 50
Hi,
We're having a bit of a strange issue with latency and can't figure out why.
We have two Juniper Netscreen 50's running in HA mode at the gateway of our network. Every Wednesday the latency shoots up to almost unusable levels and remains that way until the firewalls are rebooted. Once rebooted the latency drops back to normal and remains that way until the next Wednesday.
Any ideas what could be causing this? Or any commands I can run to investigate and provide more information?
Thanks
↧
Re: Strange Latency Issue Netscreen 50
Hi,
Can you check the below information:
1: What is the performance related details during other days and on Wednesdays, during the business hours.
get perf cpu all det
get perf session detail
get memory
get memory chunk
get session info
any monitoring tool to check the port utilization.
2: Compare the get event of issue time and of normal time.
3: Any different sort of traffic, network analyzing, port scan being used during he issue time?
Thanks,
Vikas
↧
Re: Strange Latency Issue Netscreen 50
Thanks for the reply.
The following are from today where there are no issues, but obvioulsy the last 24 hours readings stretch back to Wednesday.
get perf cpu all det:
Last 60 seconds:
59: 40(47 3) 58: 34(42 2) 57: 32(40 2) 56: 62(72 0)*
55: 15(22 3) 54: 60(70 0)* 53: 22(29 3) 52: 58(68 0)*
51: 20(27 3) 50: 44(54 0) 49: 42(52 0) 48: 48(58 0)
47: 33(43 0) 46: 61(68 3)* 45: 24(34 0) 44: 61(68 3)*
43: 19(29 0) 42: 62(72 0)* 41: 70(77 3)* 40: 32(41 1)
39: 50(57 3)* 38: 30(40 0) 37: 51(58 3)* 36: 11(21 0)
35: 69(76 3)* 34: 21(31 0) 33: 47(54 3) 32: 54(61 3)*
31: 27(37 0) 30: 48(55 3) 29: 40(50 0) 28: 42(49 3)
27: 19(29 0) 26: 51(58 3)* 25: 27(37 0) 24: 54(61 3)*
23: 36(46 0) 22: 39(46 3) 21: 31(41 0) 20: 65(72 3)*
19: 25(35 0) 18: 38(45 3) 17: 50(60 0)* 16: 36(43 3)
15: 37(47 0) 14: 33(40 3) 13: 44(54 0) 12: 34(41 3)
11: 53(63 0)* 10: 20(27 3) 9: 54(64 0)* 8: 31(38 3)
7: 58(68 0)* 6: 28(35 3) 5: 47(57 0) 4: 22(29 3)
3: 65(75 0)* 2: 19(26 3) 1: 35(42 3) 0: 60(70 0)*
Last 60 minutes:
59: 39(48 1) 58: 40(48 1) 57: 40(49 1) 56: 40(49 1)
55: 39(47 1) 54: 41(49 1) 53: 39(47 1) 52: 39(48 1)
51: 38(47 1) 50: 39(48 1) 49: 65(74 1)* 48: 50(59 1)*
47: 40(49 1) 46: 41(49 1) 45: 40(48 1) 44: 41(49 1)
43: 38(46 1) 42: 39(47 1) 41: 39(48 1) 40: 41(49 1)
39: 41(50 1) 38: 38(47 1) 37: 39(47 1) 36: 38(46 1)
35: 41(49 1) 34: 39(48 1) 33: 41(50 1) 32: 37(45 1)
31: 34(42 1) 30: 40(49 1) 29: 35(43 1) 28: 39(48 1)
27: 39(48 1) 26: 40(48 1) 25: 39(47 1) 24: 37(46 1)
23: 41(49 1) 22: 40(48 1) 21: 40(48 1) 20: 40(48 1)
19: 40(49 1) 18: 39(48 1) 17: 38(46 1) 16: 39(47 1)
15: 41(49 1) 14: 39(48 1) 13: 39(48 1) 12: 39(48 1)
11: 38(46 1) 10: 38(47 1) 9: 39(48 1) 8: 40(48 1)
7: 40(49 1) 6: 39(47 1) 5: 40(48 1) 4: 40(48 1)
3: 41(49 1) 2: 39(48 1) 1: 39(48 1) 0: 39(47 1)
Last 24 hours:
23: 32(39 0) 22: 2( 1 0) 21: 2( 1 0) 20: 2( 1 0)
19: N/A 18: N/A 17: N/A 16: N/A
15: N/A 14: N/A 13: N/A 12: N/A
11: N/A 10: N/A 9: N/A 8: N/A
7: N/A 6: N/A 5: N/A 4: N/A
3: N/A 2: N/A 1: N/A 0: N/A
get perf session detail - Last 24 hours:
0: 8043 1: 13821 2: 14653 3: 19479 4: 18547 5: 0
6: 0 7: 0 8: 0 9: 0 10: 0 11: 0
12: 0 13: 0 14: 0 15: 0 16: 0 17: 0
18: 0 19: 0 20: 0 21: 0 22: 0 23: 0
get memory:
Memory: allocated 52002176, left 43751552, frag 457
get memory chunk
NAME SIZE SYS_MEM ALLOCMEM NALLOC NFREE MAX
===========================================================================
br_walk_Q 8 1052 0 0 85 -1
dmhash 20 0 0 0 0 -1
dm 32 0 0 0 0 -1
User Auth Msg Bufs 1004 0 0 0 0 4096
User Auth Table 404 0 0 0 0 4096
Dlog buffer 0 256 8092 0 0 31 256
Dlog Queue 36868 36904 36868 1 0 4
arp 100 8144 3000 30 48 2048
xlate-ctx 36 0 0 0 0 384
dip-in 44 0 0 0 0 64
tcp 392 7952 1568 4 16 -1
Session 40 0 0 0 0 32032
Link List Nodes 8 8216 24 3 679 -1
Hash Table Nodes 8 0 0 0 0 -1
New Kernel Timer 12 8224 948 79 433 -1
vlsm 20 8216 5260 263 78 -1
get session info:
alloc 173/max 64064, alloc failed 0, mcast alloc 0, di alloc failed 0
any monitoring tool to check the port utilization - I'll look at setting up a port utilization monitor.
Anything in the figures above jumping out to you?
↧
Site to Site VPN -SSG5 to Sonicwall
Hello all,
Having trouble with my VPN between a Sonicwall and a Juniper SSG5. I have the tunnel up but it is got one-way traffic. Followed the steps outlinned on the KB and not having much luck. Here's my VPN info, please let me know if I need to provide anything further.
get sa
HEX ID Gateway Port Algorithm SPI Life:sec kb Sta PID vsys
00000003< XXXX 500 esp:3des/sha1 bf18fb8f 2583 unlim A/D -1 0
00000003> XXXX 500 esp:3des/sha1 2aabdbf2 2583 unlim A/D -1 0
2017-10-06 13:59:37 system info 00536 IKE XXXX Phase 2 msg ID
53e3053a: Completed negotiations with
SPI bf18fb8f, tunnel ID 3, and
lifetime 3600 seconds/0 KB.
2017-10-06 13:59:37 system info 00536 IKE XXXX phase 2:The symmetric
crypto key has been generated
successfully.
2017-10-06 13:59:37 system info 00536 IKE XXXX Phase 2: Received a
message but did not check a policy
because id-mode was set to IP or
policy-checking was disabled.
2017-10-06 13:59:37 system info 00536 IKE XXXX Phase 2: Received a
message but did not check a policy
because id-mode was set to IP or
policy-checking was disabled.
2017-10-06 13:59:37 system info 00536 IKE XXXX Phase 2 msg ID
53e3053a: Responded to the peer's
first message.
2017-10-06 13:59:37 system info 00536 IKE XXXX Phase 2: Received a
message but did not check a policy
because id-mode was set to IP or
policy-checking was disabled.
sydneyrd-ssg5-> get vpn proxy-id
vpn-name tun-if local-ip/mask remote-ip/mask proto/port tunnel-id
------------------------------------------------------------------------------------
Coburg tunnel.1 192.168.4.0/24 192.168.2.0/24 0/0 0x00000003
sydneyrd-ssg5-> get int tunnel.1
Interface tunnel.1:
description tunnel.1
number 20, if_info 1768, if_index 1, mode route
link down, admin status up
vsys Root, zone Untrust, vr trust-vr
admin mtu 0, operating mtu 1500, default mtu 1500
*ip 0.0.0.0/0 unnumbered, source interface ethernet0/1
*manage ip 0.0.0.0
bound vpn:
Coburg
sydneyrd-ssg5-> get route ip 192.168.2.0
Dest for 192.168.2.0
--------------------------------------------------------------------------------------
trust-vr : => 0.0.0.0/0 (id=15) via 210.8.1.232 (vr: trust-vr)
Interface ethernet0/1 , metric 1
sydneyrd-ssg5-> get vpn Coburg
Name Gateway Mode RPlay 1st Proposal Monitor Use Cnt Interface
--------------- --------------- ---- ----- -------------------- ------- ------- ---------------
Coburg Coburg tunl No nopfs-esp-3des-sha on 0 eth0/1
all proposals: nopfs-esp-3des-sha
peer gateway = XXXX
outgoing interface <ethernet0/1>
IPv4 address XYXY.
vpn monitor src I/F <default>, dst-IP <default>, optimized NO, rekey OFF
l2tp over ipsec use count <0>
idle timeout value <0>
vpnflag <04010022>
df-bit <clear>
sa_list <00000003>
single proxy id, check disabled, init done, total <1>
proxy id:
local 192.168.4.0/255.255.255.0, remote 192.168.2.0/255.255.255.0, proto 0, port 0/0
Bound tunnel interface: tunnel.1
Next-Hop Tunnel Binding table
Flag Status Next-Hop(IP) tunnel-id VPN
DSCP-mark: disabled
sydneyrd-ssg5-> get policy all
Total regular policies 7, Default deny, Software based policy search, new policy enabled.
ID From To Src-address Dst-address Service Action State ASTLCB
12 Untrust Trust 192.168.2.0~ 192.168.4.0~ ANY Permit enabled ---X-X
11 Trust Untrust 192.168.4.0~ 192.168.2.0~ ANY Permit enabled ---X-X
↧
↧
Re: Site to Site VPN -SSG5 to Sonicwall
Hi,
How are you checking it's one way traffic? and it's one way from whcih side ?
Also, can you please check output of the "get sa stat" ?
Thanks,
Vikas
↧
Re: Strange Latency Issue Netscreen 50
There doesn't seem to be any major issue at present. You can user PRTG monitoring tool etc to check port utilization or other usage. Don't use Syslog on the TCP port.
Thanks,
Vikas
↧
Re: Strange Latency Issue Netscreen 50
Below can also be used to check the PPS on the device :
set pps
get pps <-- multiple times for the reference
unset pps
Thanks,
Vikas
↧
Re: Site to Site VPN -SSG5 to Sonicwall
I assume this is a route based vpn based on the output. It looks like you are missing the route into the tunnel interface.
sydneyrd-ssg5-> get route ip 192.168.2.0 Dest for 192.168.2.0 -------------------------------------------------------------------------------------- trust-vr : => 0.0.0.0/0 (id=15) via 210.8.1.232 (vr: trust-vr) Interface ethernet0/1 , metric 1
The remote network 192.168.2.0 is hitting the default route. Create a route with the tunnel interface as the next hop for the 192.168.2.0/24 network.
↧
↧
Re: SSG 5 - get VIP to look for route in Untrust-vr
Hi Vikas
Thanks for your reply.
That is correct, I have a tunnel between the DMZ zones of my two ssg5's.
The host is on the other side of the tunnel. I can ping bothways through the tunnel.
the result of get route ip 10.238.135.227 and I also added some relevant config.
-> get route ip 10.238.135.227
Dest for 10.238.135.227 -------------------------------------------------------------------------------------- none potential routes in other vrouters: untrust-vr : => 10.238.135.224/28 (id=6) via 0.0.0.0 (vr: utrust-vr) Interface tunnel.2 , metric 1
-> get route id 6 route in untrust-vr
-------------------------------------------------------------------------------------- id: 6
IP address/mask: 10.238.135.224/28
next hop (gateway): 0.0.0.0
preference: 20
metric: 1
description:
outgoing interface: tunnel.2
vsys name/id: Root/0
tag: 0
flag: 24002040/00100001
type: static
Redistrubuted to:
status: active (for 5 days 0 hours 38 minutes 10 sseconds)
rotue in trust-vr
--------------------------------------------------------------------------------------
id: 6
IP address/mask: 10.238.135.117/32
next hop (gateway): 0.0.0.0
preference: 0
metric: 0
description:
outgoing interface: ethernet0/3
vsys name/id: Root/0
tag: 0
flag: 340000000/00100000
type: host
status: active (for 7 days 10 hours 0 minutes 53 sseconds)
Then there is one more in the third vr
Here is the route config.
The route in question:
set route 10.238.135.224/28 interface tunnel.2
set route 10.238.135.224/28 interface null metric 10
The tunnel config:
set vpn "dmz.tunnel" gateway "gateway" no-replay tunnel idletime 0 proposal "g2-esp-aes128-sha"
set vpn "dmz.tunnel" monitor source-interface loopback.2 destination-ip 10.238.135.225 optimized rekey
set vpn "dmz.tunnel" id 0x15 bind interface tunnel.2 set vpn "dmz.tunnel" dscp-mark 0
set interface "tunnel.2" zone "DMZ" set interface tunnel.2 ip unnumbered interface bgroup2.1
set interface loopback.2 ip 10.238.135.222/28
set interface loopback.2 route
If i ping from loopback interface.2:
-> ping 10.238.135.227 from loopback.2 Type escape sequence to abort Sending 5, 100-byte ICMP Echos to 10.238.135.227, timeout is 1 second from loopback.2 !!!!! Sucess Rate is 100 procent (5/5), round-trip time min/avg/max=13/21/50 ms
↧
ScreenOS VSYS session count via SNMP
Hi
I'm trying to monitor the number of active sessions through the firewall which is fine using nsResSessAllocate for physical gateways but strugging to find a way to do it on a per-VSYS level?
↧
Re: ScreenOS VSYS session count via SNMP
There is not a MIB to pull for the active sessions in a VSYS.
↧