11-04-2008 11:33 AM
Hi! My company is primarily a Checkpoint firewall shop but we have set up a Juniper SA 6000 box for SSL Remote access from home. Many of the servers our techie's support are not directly routable on our internal LAN - instead the techies set up an SSL VPN (using Checkpoint's SSL Extender product) from their laptops to a "portal" firewall and then traffic to production servers is routed over the VPN. So if they need to do support from home, they first https across the Internet to the SA 6000 to set up the Juniper VPN. Then they https through the Juniper VPN to the Checkpoint portal in order to get to the servers they need to support. Sounds kind of wonky but it works for most people most of the time
One recent issue was a techy who was connected for a few hours doing his job, then he connected to a Sybase server over TCP port 5000 and executed a SQL statement. When he did this the Juniper VPN disconnected him (the Checkpoint SSL VPN was still up as it showed errors in the log taht it couldn't reach the firewall). The user forced a disconnect of the Checkpoint SSL product, reconnected to the Juniper SA 6000, reconnected to the Checkpoint SSL VPN, and was able to do his Sybase stuff without any more hitches.
When looking in the SA 6000 logs, the disconnect message says...
Host Checker policy 'Host Checker Connection Control' failed on host xx.xx.xx.xxx for user 'Joe Tech'. Reason: 'Firewall Not Running and Shutdown by End User'
Frankly, I don't think that's really true. Our Host Checking policy is set to look for the standard Windows XP firewall. It was obviously turned on when he first connected (or he wouldn't have been able to get into the Juniper remote access in the first place - I've tested it myself by turning off the Windows Firewall on my laptop and this causes the Juniper host check to fail). I've seen this 'Firewall Not Running and Shutdown by End User' scattered through the Juniper logs for other users. Is this an issue with the Juniper host checking? Is something really shutting down the Windows firewall for a split second?
Our SA 6000 is running 6.3R1-1 (build 13563). We have from 50-70 concurrent users at any one time.
11-05-2008 08:34 AM
Upon further investigation, the problem of Juniper dropping happens when the old isql/w program is run. isql/w is a utility that came with Microsoft SQL 6.5 that used to view remote databases. I could not obtain a copy of isql/w itself but I downloaded the free Eisql/w from here: http://www.imranweb.com/freesoft.htm
You will also need to have NTWDBLIB.DLL on your machine (obtainable from here: http://www.dlllab.com/ntwdblib.dll_download.html )
So if I connect to the Juniper SA and then try to connect to a database via EiSQL/W, there will be a long pause and then Juniper will disconnect. If I restart Juniper and try again, then Juniper won't disconnect again. If I reboot my machine and try starting EiSQL/W first (but don't try to connect) and then connect to Juniper, Juniper will still drop when I try to connect to a database. I'm thinking it's an issues between the Juniper SSL client and the NTWDBLIB.DLL