Re: VPN tunnel going up and down (how to check if ISP has block ESP traffic)
Hi, Only adding the proxy-id will not help. We have to ensure the ICMP connectivity between 2 IPs, one IP behind each VPN gateway. In your VPN-monitor you need to specify a source and destination IP,...
View ArticleUnexpected traffic getting through SSG-350M to DMZ
I have had very little experience with Junipers and inherited my firewall from my predecessor. I have a server in my DMZ that has been responding to port requests to 445, when I expected it to be...
View ArticleRe: Unexpected traffic getting through SSG-350M to DMZ
It is possible that the traffic is hitting a different policy. Can you provide the output of "debug flow basic"? set ff dst-ip 10.9.8.7 dst-port 445set ff dst-ip 100.101.102.103 dst-port 445set ff...
View ArticleRe: Unexpected traffic getting through SSG-350M to DMZ
It shows that the traffic is being permitted by policy 362. Can you provide the output of get config | inc "TCP/5067"get config | inc "TCP/8267"get config | inc "microsoft-ds"
View ArticleRe: Unexpected traffic getting through SSG-350M to DMZ
The difference between VIP and MIP: VIP is flexible port forwarding only sending the specified ports in the configuration and only in the direction configured. MIP is for Mapped IP meaning a one-to-one...
View ArticleRe: Unexpected traffic getting through SSG-350M to DMZ
That looks like the answer. Whoever created the rule apparently got it "a bit" wrong for TCP/5067. Already tested and it works as it should. THANKS!Here is the output you asked for: Remote...
View ArticleSSG350M - Firmware 6.3 - Dual ISP - Routing Issue - Failover
Hi All, After setting up a SSG350M active/passive cluster, I am running into the problem, that I´m not able to figure out, how to configure a dual ISP routing configuration. Both ISPs are bound to...
View ArticleRe: SSG350M - Firmware 6.3 - Dual ISP - Routing Issue - Failover
With ScreenOS on the SSG the simpliest way to setup a primary and backup ISP is using the backup function under interfaces. Interfaces > Backup Set your primary and backup ISP interfaces here and us...
View ArticleSSG5 DHCP Relay not working after tunnel cycles
We have an office location that has been having a problem with their provider going down. When it goes down, of course the tunnel drops. When the provider network comes back up, the SSG5 reconnects the...
View ArticleRe: SSG5 DHCP Relay not working after tunnel cycles
This sounds like it will end up being a software bug. I would start by upgrading the the latest release r26 and see if the issue is cleared or not. If it isn't you will need to check with JTAC support...
View ArticleRe: SSG5 DHCP Relay not working after tunnel cycles
Ok, thanks. In this case, there is no support contract with the unit. The customer tried to renew support for them, but was told none was availalbe becuse they are an EOL product. It doesn't look like...
View ArticleISG2000 High Availability issue
Hello experts,We have a deployment of CoreFirewalls ISG2000 x 2 in HA. recently i observed that the backup unit is giving RED indication of HA LED. I don't know much about the HA config but it seems...
View ArticleRe: ISG2000 High Availability issue
HiPlease check the https://kb.juniper.net/InfoCenter/index?page=content&id=KB22874&cat=SCREENOS&actp=LIST for details on the HA LED. Can you paste the 'get nsrp' output from the device to...
View ArticleRe: ISG2000 High Availability issue
Hi Vikas,Check the outputAlso KB shows RED indication means inoperable state. CORE-FIREWALL-1(M)-> get nsrpnsrp version: 2.0cluster info:cluster id: 1, no namelocal unit id: 9628416active units...
View ArticleRe: ISG2000 High Availability issue
Device seems to be in the inoperable state.0 50 yes 3 no myself none 9693312(inoperable) 01:46:05 Can you please get the below details from both the devices, not only one:...
View ArticleRe: ISG2000 High Availability issue
Hello Vikas,I don't see anything suspecious at the mentioned time as pasted below CORE-FIREWALL-1(M)-> get event | include 01:46:052019-01-18 01:46:05 system info 00536 IKE 10.50.66.45 Phase 2 msg...
View ArticleRe: ISG2000 High Availability issue
Hi, As I mentioned earlier please check the data from both the firewalls, NSRP config is not synchronized. From the current snippet, this firewall is Master and seems to be working fine however other...
View ArticleRe: ISG2000 High Availability issue
Ok thanks, i will get the desired info and will share it for further troubleshooting.
View Article