Re: SSG5 reboots all the time
Thanks for you answer Gokul. Here's the output of 'get log sys save' and 'get log sys' when it works normally: ssg5-serial-> get log sys save6.3.0r13.0...
View ArticleRe: Phase2 failure message with there was preexisting session from the same peer
Hello, Spokes are behind the NAT device with dyanmic IP. The first two tunnels (one spoke ssg5 and the other srx100) come up phase1,2 but third tunnel with third spokes srx100 fail the phase2 with...
View ArticleTraffic Shapping
Hi Experts, I just wanted to ask your opinion about the traffic shaping settings that we have at the moment. We have created these policies (see attached) and I'll be also attaching the traffic...
View ArticleRe: Traffic Shapping
You will also need to configure the maximum ingress and egress bandwidth on your interface. Also, based on your configuration, your VoIP traffic will only be allowed a maximum of 1Mbps. Even if...
View ArticleRe: Traffic Shapping
Hi rseibert, Yeah, we wanted to have 1MB dedicated bandwidth for VOIP and 3MB dedicated bandwidth for Data. Alright! I have specified the maximum bandwidth on the ingress and egress of the interface....
View ArticleClik here to view.
Re: SSG5 reboots all the time
You are welcome Marcin, The coredump is empty. Looks more like a hardware issue to me
View ArticleRe: Phase2 failure message with there was preexisting session from the same peer
I am not sure about the SRX CLI, but I assume the commands will clear all IKE SAs. From the SSG side, you can clear the SA as well as the session: get sa | i <<IP of the SRX>> In the output...
View ArticleClik here to view.
Re: Phase2 failure message with there was preexisting session from the same peer
Another question - do all these 3 spokes sit behind the same NAT device or different ones? There is a small chance that the NAT entry on the NAT-ing box expired. So, when P2 gets renegotiated, it would...
View ArticleRe: Phase2 failure message with there was preexisting session from the same peer
On the SRX, please make sure the 'Untrust' zone interface is permitting inbound ike. "set security zones security-zone Untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services ike"...
View ArticleRe: debug flow basic on tftp?
Hi Gokul,thanks for your time! we did the way you suggested us and it worked! thanks again,bye
View ArticleClik here to view.
Re: help!! because There was a preexisting session from the same peer
I just resolved this EXACT issue - and the problem was with the SRX, not the SSG... With me, I am terminating my SRX tunnel (gateway) on a loopback interface w/ a private IP. The tunnel is in dynamic...
View ArticleRe: help!! because There was a preexisting session from the same peer
Interesting find... But, if the P2 negotiation packets are dropped on the SRX due to intrazone block, I would expect the Phase-1 negotiation to be dropped in the first place because both P1 and P2 use...
View ArticleRe: Phase2 failure message with there was preexisting session from the same peer
You may also want to check the latest posts in: http://forums.juniper.net/t5/ScreenOS-Firewalls-NOT-SRX/help-because-There-was-a-preexisting-session-from-the-same-peer/td-p/258033
View ArticleClik here to view.
Clik here to view.
Remotely Manage a VPN Terminated PC
Let me explain the scenario to the above subject. We're using Shrewsoft VPN Client to terminate a VPN on our NetscreenOS SSG-550. This is working correctly, we can access all resources within our LAN...
View ArticleISG-2000 vpn version2 features
I am looking to establish a IKEv2 tunnel between ISG-2000 and ASA, and in that i having a doubt if the tunnel can support SHA-256. As per the datasheet of ISG-2000 only SHA-1 is written which creates a...
View ArticleRe: Critical ScreenOS Security Flaw: 6.2.0r15 through 6.2.0r18 and 6.3.0r12...
Juniper has now completed the ScreenOS VPN updates with the removal of the DUAL_EC_DRBG and the ANSI X9.31 PRNG in ScreenOS 6.3r22...
View ArticleFirmware upgrade and NSRP
Hi we've got a problem with a remote site of ours. Its only just been noticed that an ssg20 NSRP pair are sitting on firmeware version 6.2.0r5.0 (Firewall+VPN) - we want to upgrade the firmware to...
View Article