Quantcast
Channel: All ScreenOS Firewalls (NOT SRX) posts
Viewing all 2577 articles
Browse latest View live

Re: SSG 5 - get VIP to look for route in Untrust-vr

September 28, 2017, 2:24 pm
$
0
0

Hi

 

I found this in the "Concepts & Examples ScreenOS Reference Guide" bottom part page 1452 in the all parts pdf:

 

"The host to which the security device maps VIP traffic must be reachable from the trust-vr. If the host is in a routing domain other than that of the trust-vr, you must define a route to reach it."

 

I guess that means that it will alwas try to find a route in trust-vr first. Then i need to route the traffic back to untrust-vr to make the traffic find its way.

 

Do you guys agree with that conclusion?

 

Anyway it works now after adding a route with next hop untrust-vr for 10.238.135.227/32.

 

Search

Re: SSG 5 - get VIP to look for route in Untrust-vr

September 28, 2017, 2:38 pm
$
0
0

That makes sense, as the VIP is a global object.  It's been a while since I've done anything with VIPs.

Re: nat incoming source with MIP (ScreenOS)

September 29, 2017, 3:15 am
$
0
0

It sounds like you need both the remote network to have NAT for you and the remote side also has an overlap with your server network and needs to NAT as well.

 

If that is the case then the NAT must occur on both your side and the remote side of the tunnel where you each do a full replacement for the connection to work.  This is the screenOS example showing both sides.

 

file:///Users/stevepuluka/Downloads/ScreenOS_VPN_with_Overlapping_Subnets.pdf

Does not load OS

October 3, 2017, 10:59 am
$
0
0

I have a juniper ssg-550m that has all the led in red minus the power led.

At all times the led remains, I do not recognize the console cable.

 

Can somebody help me?

 

WhatsApp Image 2017-10-02 at 16.54.19.jpeg

Re: Does not load OS

October 3, 2017, 5:10 pm
$
0
0
This is a hardware issue (RAM failure). You would need to RMA the device.

Re: Does not load OS

October 3, 2017, 5:13 pm
$
0
0

This is the cabling pin out for the RJ45 to DB9 cable needed for the console cable.  Juniper devices ship with a 9pin adapter with the rj45 on the other end.  They are the same pin out as the blue cisco cables if you have any of those around.

 

https://www.juniper.net/documentation/en_US/release-independent/junos/topics/reference/specifications/port-ex-series-rj45-db9-adapter-pinout.html

 

https://kb.juniper.net/InfoCenter/index?page=content&id=KB4066

 

Once connected the output during the boot process should give some information on the nature of the problem.

Re: Does not load OS

October 3, 2017, 6:00 pm
$
0
0

This is a hardware failure based on the status lights.  The console will not display anything.  You can either open a JTAC case for an RMA or replace the RAM.

Strange Latency Issue Netscreen 50

October 5, 2017, 1:36 am
$
0
0

Hi,

 

We're having a bit of a strange issue with latency and can't figure out why.

 

We have two Juniper Netscreen 50's running in HA mode at the gateway of our network. Every Wednesday the latency shoots up to almost unusable levels and remains that way until the firewalls are rebooted. Once rebooted the latency drops back to normal and remains that way until the next Wednesday.

 

Any ideas what could be causing this? Or any commands I can run to investigate and provide more information?

 

Thanks

Search

Re: Strange Latency Issue Netscreen 50

October 5, 2017, 2:45 am
$
0
0

Hi,

 

Can you check the below information:

 

1: What is the performance related details during other days and on Wednesdays, during the business hours.

    get perf cpu all det

    get perf session detail

    get memory

    get memory chunk

    get session info

    any monitoring tool to check the port utilization.

 

2: Compare the get event of issue time and of normal time.

 

3: Any different sort of traffic, network analyzing, port scan being used during he issue time?

 

Thanks,

Vikas

 

   

Re: Strange Latency Issue Netscreen 50

October 5, 2017, 5:47 am
$
0
0

Thanks for the reply.

 The following are from today where there are no issues, but obvioulsy the last 24 hours readings stretch back to Wednesday.

 

get perf cpu all det:

Last 60 seconds:
59: 40(47 3) 58: 34(42 2) 57: 32(40 2) 56: 62(72 0)*
55: 15(22 3) 54: 60(70 0)* 53: 22(29 3) 52: 58(68 0)*
51: 20(27 3) 50: 44(54 0) 49: 42(52 0) 48: 48(58 0)
47: 33(43 0) 46: 61(68 3)* 45: 24(34 0) 44: 61(68 3)*
43: 19(29 0) 42: 62(72 0)* 41: 70(77 3)* 40: 32(41 1)
39: 50(57 3)* 38: 30(40 0) 37: 51(58 3)* 36: 11(21 0)
35: 69(76 3)* 34: 21(31 0) 33: 47(54 3) 32: 54(61 3)*
31: 27(37 0) 30: 48(55 3) 29: 40(50 0) 28: 42(49 3)
27: 19(29 0) 26: 51(58 3)* 25: 27(37 0) 24: 54(61 3)*
23: 36(46 0) 22: 39(46 3) 21: 31(41 0) 20: 65(72 3)*
19: 25(35 0) 18: 38(45 3) 17: 50(60 0)* 16: 36(43 3)
15: 37(47 0) 14: 33(40 3) 13: 44(54 0) 12: 34(41 3)
11: 53(63 0)* 10: 20(27 3) 9: 54(64 0)* 8: 31(38 3)
7: 58(68 0)* 6: 28(35 3) 5: 47(57 0) 4: 22(29 3)
3: 65(75 0)* 2: 19(26 3) 1: 35(42 3) 0: 60(70 0)*

Last 60 minutes:
59: 39(48 1) 58: 40(48 1) 57: 40(49 1) 56: 40(49 1)
55: 39(47 1) 54: 41(49 1) 53: 39(47 1) 52: 39(48 1)
51: 38(47 1) 50: 39(48 1) 49: 65(74 1)* 48: 50(59 1)*
47: 40(49 1) 46: 41(49 1) 45: 40(48 1) 44: 41(49 1)
43: 38(46 1) 42: 39(47 1) 41: 39(48 1) 40: 41(49 1)
39: 41(50 1) 38: 38(47 1) 37: 39(47 1) 36: 38(46 1)
35: 41(49 1) 34: 39(48 1) 33: 41(50 1) 32: 37(45 1)
31: 34(42 1) 30: 40(49 1) 29: 35(43 1) 28: 39(48 1)
27: 39(48 1) 26: 40(48 1) 25: 39(47 1) 24: 37(46 1)
23: 41(49 1) 22: 40(48 1) 21: 40(48 1) 20: 40(48 1)
19: 40(49 1) 18: 39(48 1) 17: 38(46 1) 16: 39(47 1)
15: 41(49 1) 14: 39(48 1) 13: 39(48 1) 12: 39(48 1)
11: 38(46 1) 10: 38(47 1) 9: 39(48 1) 8: 40(48 1)
7: 40(49 1) 6: 39(47 1) 5: 40(48 1) 4: 40(48 1)
3: 41(49 1) 2: 39(48 1) 1: 39(48 1) 0: 39(47 1)

Last 24 hours:
23: 32(39 0) 22: 2( 1 0) 21: 2( 1 0) 20: 2( 1 0)
19: N/A 18: N/A 17: N/A 16: N/A
15: N/A 14: N/A 13: N/A 12: N/A
11: N/A 10: N/A 9: N/A 8: N/A
7: N/A 6: N/A 5: N/A 4: N/A
3: N/A 2: N/A 1: N/A 0: N/A

 

get perf session detail - Last 24 hours:

0: 8043 1: 13821 2: 14653 3: 19479 4: 18547 5: 0
6: 0 7: 0 8: 0 9: 0 10: 0 11: 0
12: 0 13: 0 14: 0 15: 0 16: 0 17: 0
18: 0 19: 0 20: 0 21: 0 22: 0 23: 0

 

get memory:
Memory: allocated 52002176, left 43751552, frag 457

 

get memory chunk

NAME SIZE SYS_MEM ALLOCMEM NALLOC NFREE MAX
===========================================================================
br_walk_Q 8 1052 0 0 85 -1
dmhash 20 0 0 0 0 -1
dm 32 0 0 0 0 -1
User Auth Msg Bufs 1004 0 0 0 0 4096
User Auth Table 404 0 0 0 0 4096
Dlog buffer 0 256 8092 0 0 31 256
Dlog Queue 36868 36904 36868 1 0 4
arp 100 8144 3000 30 48 2048
xlate-ctx 36 0 0 0 0 384
dip-in 44 0 0 0 0 64
tcp 392 7952 1568 4 16 -1
Session 40 0 0 0 0 32032
Link List Nodes 8 8216 24 3 679 -1
Hash Table Nodes 8 0 0 0 0 -1
New Kernel Timer 12 8224 948 79 433 -1
vlsm 20 8216 5260 263 78 -1

 

get session info:

alloc 173/max 64064, alloc failed 0, mcast alloc 0, di alloc failed 0

 

any monitoring tool to check the port utilization - I'll look at setting up a port utilization monitor.

 

Anything in the figures above jumping out to you?

Site to Site VPN -SSG5 to Sonicwall

October 5, 2017, 9:22 pm
$
0
0

Hello all,

 

Having trouble with my VPN between a Sonicwall and a Juniper SSG5. I have the tunnel up but it is got one-way traffic. Followed the steps outlinned on the KB and not having much luck. Here's my VPN info, please let me know if I need to provide anything further.

 

get sa

HEX ID Gateway Port Algorithm SPI Life:sec kb Sta PID vsys
00000003< XXXX 500 esp:3des/sha1 bf18fb8f 2583 unlim A/D -1 0
00000003> XXXX 500 esp:3des/sha1 2aabdbf2 2583 unlim A/D -1 0

 

 

2017-10-06 13:59:37 system info 00536 IKE XXXX Phase 2 msg ID
53e3053a: Completed negotiations with
SPI bf18fb8f, tunnel ID 3, and
lifetime 3600 seconds/0 KB.
2017-10-06 13:59:37 system info 00536 IKE XXXX phase 2:The symmetric
crypto key has been generated
successfully.
2017-10-06 13:59:37 system info 00536 IKE XXXX Phase 2: Received a
message but did not check a policy
because id-mode was set to IP or
policy-checking was disabled.
2017-10-06 13:59:37 system info 00536 IKE XXXX Phase 2: Received a
message but did not check a policy
because id-mode was set to IP or
policy-checking was disabled.
2017-10-06 13:59:37 system info 00536 IKE XXXX Phase 2 msg ID
53e3053a: Responded to the peer's
first message.
2017-10-06 13:59:37 system info 00536 IKE XXXX Phase 2: Received a
message but did not check a policy
because id-mode was set to IP or
policy-checking was disabled.

 

sydneyrd-ssg5-> get vpn proxy-id
vpn-name tun-if local-ip/mask remote-ip/mask proto/port tunnel-id
------------------------------------------------------------------------------------
Coburg tunnel.1 192.168.4.0/24 192.168.2.0/24 0/0 0x00000003

 

sydneyrd-ssg5-> get int tunnel.1
Interface tunnel.1:
description tunnel.1
number 20, if_info 1768, if_index 1, mode route
link down, admin status up
vsys Root, zone Untrust, vr trust-vr
admin mtu 0, operating mtu 1500, default mtu 1500
*ip 0.0.0.0/0 unnumbered, source interface ethernet0/1
*manage ip 0.0.0.0
bound vpn:
Coburg

 

sydneyrd-ssg5-> get route ip 192.168.2.0
Dest for 192.168.2.0
--------------------------------------------------------------------------------------
trust-vr : => 0.0.0.0/0 (id=15) via 210.8.1.232 (vr: trust-vr)
Interface ethernet0/1 , metric 1

 

 

sydneyrd-ssg5-> get vpn Coburg
Name Gateway Mode RPlay 1st Proposal Monitor Use Cnt Interface
--------------- --------------- ---- ----- -------------------- ------- ------- ---------------
Coburg Coburg tunl No nopfs-esp-3des-sha on 0 eth0/1
all proposals: nopfs-esp-3des-sha
peer gateway = XXXX
outgoing interface <ethernet0/1>
IPv4 address XYXY.
vpn monitor src I/F <default>, dst-IP <default>, optimized NO, rekey OFF
l2tp over ipsec use count <0>
idle timeout value <0>
vpnflag <04010022>
df-bit <clear>
sa_list <00000003>
single proxy id, check disabled, init done, total <1>
proxy id:
local 192.168.4.0/255.255.255.0, remote 192.168.2.0/255.255.255.0, proto 0, port 0/0
Bound tunnel interface: tunnel.1

Next-Hop Tunnel Binding table
Flag Status Next-Hop(IP) tunnel-id VPN

DSCP-mark: disabled

 

sydneyrd-ssg5-> get policy all
Total regular policies 7, Default deny, Software based policy search, new policy enabled.
ID From To Src-address Dst-address Service Action State ASTLCB
12 Untrust Trust 192.168.2.0~ 192.168.4.0~ ANY Permit enabled ---X-X
11 Trust Untrust 192.168.4.0~ 192.168.2.0~ ANY Permit enabled ---X-X

Re: Site to Site VPN -SSG5 to Sonicwall

October 5, 2017, 10:23 pm
$
0
0

Hi,

 

How are you checking it's one way traffic? and it's one way from whcih side ?

 

Also, can you please check output of the "get sa stat" ?

 

Thanks,

Vikas

Re: Strange Latency Issue Netscreen 50

October 5, 2017, 10:40 pm
$
0
0

There doesn't seem to be any major issue at present. You can user PRTG monitoring tool etc to check port utilization or other usage. Don't use Syslog on the TCP port.

 

Thanks,

Vikas

Re: Strange Latency Issue Netscreen 50

October 5, 2017, 10:41 pm
$
0
0

Below can also be used to check the PPS on the device :

 

set pps

get pps <-- multiple times for the reference

unset pps

 

Thanks,
Vikas

Re: Site to Site VPN -SSG5 to Sonicwall

October 6, 2017, 2:44 am
$
0
0

I assume this is a route based vpn based on the output.  It looks like you are missing the route into the tunnel interface.

 

sydneyrd-ssg5-> get route ip 192.168.2.0
Dest for 192.168.2.0
--------------------------------------------------------------------------------------
trust-vr : => 0.0.0.0/0 (id=15) via 210.8.1.232 (vr: trust-vr)
Interface ethernet0/1 , metric 1

The remote network 192.168.2.0 is hitting the default route.  Create a route with the tunnel interface as the next hop for the 192.168.2.0/24 network.

 

Search

Juniper to Pilink Ipsec

October 13, 2017, 3:38 am
$
0
0

Hello ladies and gents. 

 

Would like to ask for some help if it's ok.

 

We are trying to set up connection between peplink "lan port" to juniper port 0/2 untrusted, as this guy expains with IpSec.

 

https://forum.peplink.com/t/configure-ipsec-to-a-juniper-ssg-firewall/8304 

 

The point we don't understand is how to set up public/external ip to the juniper so the internet can flow through the port, from piplink to the juniper. 

 

One more question , do we have to open the 0/0 dhcp so everyone can connect without using manual ip addresses. 

 

Best Regads.

 

 

Re: Juniper to Pilink Ipsec

October 13, 2017, 5:03 am
$
0
0

The link in your post seems to have some extra characters hidden at the end.  Here is the kb article link

https://forum.peplink.com/t/configure-ipsec-to-a-juniper-ssg-firewall/8304

 

This kb outline setting up a site-to-site VPN connecting a private network at peplink to a private network on the SSG.

Peplink LAN Network 192.168.2.0/24
Juniper SSG LAN Network 192.168.1.0/24

 

When completed local LAN SSG clients on 192.168.1.0/24 will be able to communicate with services published by peplink on 192.168.2.0/24.

 

There is no internet default route on this particular vpn setup.  If they are providing internet via this vpn peplink is likely giving you a proxy server address in the 192168.2.0/24 subnet to configure for your client devices to use.  The only connectivity from this vpn setup is between those two private networks.

 

You won't need any dhcp on the untrusted interface to your clients they will still use the local lan dhcp as they do now.

Re: Strange Latency Issue Netscreen 50

October 16, 2017, 1:58 am
$
0
0

So I've grabbed the data from when the firewalls started to struggle again last week. It seems to be happening when people are actually working on the network, as we are using it as a test network at the moment and saw the performance get worse after we had people working there.

I've attached the files as I took screenshots this time.

 

Again, rebooting the firewall seemed to solve the issue.  Any ideas? Does something 'build-up' on the firewalls which then clears after a reboot?

Policy based traffic shaping (how it impacts non defined policies)

October 16, 2017, 7:01 am
$
0
0

Hello,

 

I am currently testing policy based taffic shaping, can someone tell me how dose the firewall (SSG Series 140 ; 550M etc) treat the packets that fall under a policy which has no traffic shaping on it ? Considering there are other policies with traffic shaping enabled on the firewall.

 

Mainly I am interested to understand if the non shaped policies are treated as default (meaining they are treated as default and last served).

 

Thanks in advance,

Re: Policy based traffic shaping (how it impacts non defined policies)

October 16, 2017, 9:09 am
$
0
0

They are treated as default, and will be given the lowest priority.

Viewing all 2577 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>