Hi,
I've just deployed a number of SRX210's on several sites, all working well except one (of course). Our ISP has set up an IP VPN between our HQ and this particular remote site, so the SRX itself is just doing some routing and VLAN stuff for now.
What I'm seeing now is weird connection problems for certain applications. If I SSH from HQ, to a switch behind the SRX on the remote site and run something that produces a lot of output, my ssh connection "hangs". For example, running "show configuration" on an EX switch behind the SRX will kill the ssh connection.
Also, the next weird thing is that thin clients or computers trying to connect from behind the SRX to our Citrix servers at HQ receive connection timeout error messages. The tricky part is that they actually do connect to the servers and exchange some data, and after a few seconds, right before the Citrix desktop usually appears, it just "hangs" and eventually terminates with the error message.
I currently have 16 SRX210 deployed at different sites, all with pretty much the same configuration and running the same version of Junos. This one seems to be the only one having this problem. I've replaced the switch behind the SRX, but the problem remains.
The network topology is really simple:
HQ Network -- ISP IP VPN -- SRX210 -- Switch -- Computers running Citrix
The actual configuration on the SRX210 looks like this:
version 11.4R5.5;
system {
host-name fw;
domain-name xxxx.local;
domain-search xxxx.local;
time-zone Europe/Stockholm;
ports {
console log-out-on-disconnect;
}
root-authentication {
encrypted-password BLAH
}
name-server {
172.16.1.111;
172.16.1.112;
}
services {
ssh;
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 10;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
ntp {
boot-server 192.36.133.17;
server 192.36.133.17;
server 192.36.144.22;
server 192.36.134.17;
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
address 172.19.127.2/29;
}
}
}
ge-0/0/1 {
unit 0 {
family ethernet-switching {
port-mode trunk;
vlan {
members [ ACCNET101 NETMGMT ];
}
}
}
}
vlan {
unit 50 {
family inet {
address 10.127.50.1/24;
}
}
unit 101 {
family inet {
address 10.127.101.1/24;
}
}
}
}
forwarding-options {
helpers {
bootp {
relay-agent-option;
server 10.101.11.57;
maximum-hop-count 10;
vpn;
interface {
vlan.101;
}
}
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop 172.19.127.1;
}
}
security {
flow {
tcp-session {
no-syn-check;
no-sequence-check;
}
}
policies {
from-zone int to-zone int {
policy Remote-Offices {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone ext to-zone int {
policy Remote-Offices {
match {
source-address any;
destination-address Internal-network;
application any;
}
then {
permit;
}
}
}
from-zone int to-zone ext {
policy Remote-Offices {
match {
source-address Internal-network;
destination-address any;
application any;
}
then {
permit;
}
}
}
}
zones {
security-zone ext {
host-inbound-traffic {
system-services {
ping;
traceroute;
ssh;
snmp;
}
}
interfaces {
ge-0/0/0.0;
}
}
security-zone int {
address-book {
address Internal-network 10.127.0.0/16;
}
host-inbound-traffic {
system-services {
all;
}
}
interfaces {
vlan.101;
vlan.50;
}
}
}
}
vlans {
ACCNET101 {
vlan-id 101;
l3-interface vlan.101;
}
NETMGMT {
vlan-id 50;
l3-interface vlan.50;
}
}
Any help would be much appreciated.