just to clear this issue, i noticed a major problem that i was unable to ping my default route which resides on the untrust side.. i was unable to test from the other side to the firewall since the responsible guy was not available.

set route  0.0.0.0/0 interface ethernet2/1.2 gateway 211.X.X.77

i was unable to ping 211.X.X.77

the interface is up.

Hi

Just a few questions.

1. Have You upgraded Your bootloader before upgrading the ScreenOS version.

2. Which version of 5.4 have You upgraded to

Regards

Hans

thank you so much for replaying, actully i didnt upgrade the bootloader !! i didnt know that i need to do that, here is the version i upgraded to it..

nsISG2000.5.4.0-IDP1.r8a.0.zip

can you please guide me through this issue. i will also check my self for it.

and another question, if the bootloader is not upgraded !! what is the effect on the firewall, taking in considration that i can boot and login to it successfully.

Hi Arzo

The first thing to do is issue the following command from the cli - "get envar" - here You should be able to see Your Bootloader version. It should be 1.1.5 or then You have to upgrade the bootloader.

You can find releasenotes following the link below:

http://www.juniper.net/techpubs/software/screenos/screenos5.4.0/index.html

I have attached the releasenotes from 5.4.0r9 it describes the upgrade sequence of the bootloader.

Regards

Hans

Hi Arzo

For some reason I am not able to attach the releasenotes.

Hope You can find it through the link I sent You.

Regards

Hans

Hi Arzo

To answer Your question:

and another question, if the bootloader is not upgraded !! what is the effect on the firewall, taking in considration that i can boot and login to it successfully.

You can normally boot though the bootloader is the wrong version, but i can make the firewall unstable.

Regards

Hans

thanks a lot for your kind help, well i have 2 firewalls there, i checked the active one which is still 5.0, it had 1.1.5 bootloader which is the recommended, now we are checking the backup one with 5.4 and the problem, mostly its the same, hopefully not.

Active Firewall

get envar
default_image=nsISG2000.5.0.0-IDP1.r10a.4
run_image=default (nsISG2000.5.0.0-IDP1.r10a.4)
loader_version=1.1.5
last_reset=2007-10-05 10:19:48 by root
sme= 

 Hi

I haven't heard of any problems upgrading to bootloader 1.1.6 in this case, but I doubt that it will solve Your problems.

If You choose to upgrade the bootloader then why not take the step to ScreenOS 6.1.0, it should give considerable performance boost and a lot af new features.

Of cause there can be issues that makes You choose to stay on ScreenOS 5.4.

As it seems that You have the right bootloader installed I would maybe choose to investigate the issue more thorougly and try to do some debugging.

If You make a flow-filter with source in the trust-zone adn destination in another zone and then do a debug flow basic to see what happens when You try to initiate traffic across the zones. This might give You a hint as to what is the problem.

If You can't find the cause to the problem I think the best path would be to open a case with JTAC. A good thing to have when You start a JTAC case is the outpu from the following commands:

Get tech
Get log sys
Get log sys saved
Get session info
Get perf cpu all detail
Get perf session detail
Get mem
Get mem chunk
Get os task
Get net-pak s
Get socket
Get pport
Get gate
Get sess frag
Get gbic
Get tcp
Get int
Get event (last few pages)

It's a lot of output but my expirience is that it makes the time to solve the cases shorter.

Regards

Hans