Screen OS

last person joined: 7 months ago 

This is a legacy community with limited Juniper monitoring.
  • 1.  RESOLVED: SSG 5 as replacement for 5GT not working

    Posted 05-26-2012 13:24
      |   view attached

    Hello.

     

    Struggling - actually fully in the weeds - attempting to get this replacement firewall to work. I

     

    'll attach the new SSG5 .cfg file and the one from the existing 5GT which works fine. I have been preening this file compared to the 5GT, using gateway addresses, etc. and I am aware of interface naming changes, etc., to no avail.  

     

    I need fresh eyes on this, please. I'm connecting to a 6MB DSL line from DSL Extreme, if that matters.

     

    The issue: when connected fully to my LAN, or even singularly via ethernet 0/2, I cannot get "out". DNS fails, clearly it isn't happening. I have defaulted this device multiple times, using the Wizard as well as manual entry. 

     

    thanks

    Attachment(s)

    txt
    moat_config_txt.txt   10 KB 1 version


  • 2.  RE: RESOLVED: SSG 5 as replacement for 5GT not working

     
    Posted 05-27-2012 00:42

    As you mentioned the DNS fails, I could see the following difference in DNS config:

     

    set interface trust dhcp server option dns2 216.146.35.35
    set interface trust dhcp server option dns3 208.67.222.222

     

    The above two DNS IPs are missing from SSG 5's DHCP config. So please try including these as well.

     

    Few other things that you could test are :

     

    1. Try pinging gateway from the firewall.

    2. Try pining DNS server IPs you see on the LAN Machines to verify the connectivity.

     

    Sarab [ JNCIS-FWV , JNCIA-SEC , CCIP , CCSA ]
    ------------------------------------------------------------------------------------

    [If it helped please mark it as "Accepted Solution". Kudos will be appreciated too.]



  • 3.  RE: RESOLVED: SSG 5 as replacement for 5GT not working

    Posted 05-27-2012 08:56

    This had no impact. Still cannot poing or get out to Internet.



  • 4.  RE: RESOLVED: SSG 5 as replacement for 5GT not working

     
    Posted 05-27-2012 01:38

    I don't see any routes defined, but you have defined a gateway on the untrust interface. Check if there is a route to 0.0.0.0 in your destination routing table. If there isn't, just add it as described here:

     

    KB5712

     

    Steve

     



  • 5.  RE: RESOLVED: SSG 5 as replacement for 5GT not working

    Posted 05-27-2012 09:00
      |   view attached

    Hello.

     

    There is a route according the the web GUI, please see attached. I just took another snap of the .cfg.

     

    I cannot ping anything outsiude of my LAN with the new SSG 5 in place. I drop the 5GT back in and it all works.

     

     



  • 6.  RE: RESOLVED: SSG 5 as replacement for 5GT not working
    Best Answer

     
    Posted 05-27-2012 09:37
    Cud u pls try pinging ur gateway from firewall itself. If this is not pinging then pls try to clear arp on upstream device. As it might hv previous cached mac.


  • 7.  RE: RESOLVED: SSG 5 as replacement for 5GT not working

    Posted 05-27-2012 09:56

    OK, I did what you requested and no, I cannot ping the ISP's gateway from a telnet session on the SSG5.

     

    With the 5GT in place, it pings properly.

     

    As I am dealing with an ISP, I have no access to their system admins to request an ARP cache flush. Are you telling me this is the only solution?

     

     

     



  • 8.  RE: RESOLVED: SSG 5 as replacement for 5GT not working

     
    Posted 05-27-2012 10:38

    Looking at the screenshot of the routing table I noticed the the default route (0.0.0.0) isn't active. Also the routes on the untrust interface are inactive. Are you sure the ethernet0/0 interface is up?

     

    Steve

     



  • 9.  RE: RESOLVED: SSG 5 as replacement for 5GT not working

    Posted 05-27-2012 10:41

    Yes, I took those shots with the device offline.

     

    When connected they are all up.

     

    I am pretty sure the issue is as the Juniper employee said - my ISP (like many) caches MAC addresses.

     

    So I must wait out the DHCP lease (60 minutes) and then, as the MAXC will be different, I'll get a new lease with a new IP.

     

    Right now, I can conect but as the MAC is different their server will not issue a new DHCP lease.

     

    Stand by. Thank yu for your reply.



  • 10.  RE: RESOLVED: SSG 5 as replacement for 5GT not working

    Posted 05-28-2012 10:55

    Thank you sarab for pointing me at my ISP - the issue was indeed their caching of the MAC address.

     

    The firewall is online.

     

    I appreciate everyone's assistance.

     

    regards,

     

    patrick



  • 11.  RE: RESOLVED: SSG 5 as replacement for 5GT not working

    Posted 05-27-2012 09:11
      |   view attached

    I attach the most recent .cfg.

     

    What am I missing? Other than the change in symantics between the two firewalls (no longer using trust and untrust in the actual configuration files) these are not grossly different.

     

    I am running the latest version of the OS....ssG5ssG20.6.3.0r11.0

     

    Is there some exotic order these commands must use in order to make it wwork?

     

    I see a route defined in the web GUI that is exactly a duplicate of the existing 5GT.

     

    ?

     

    Attachment(s)

    txt
    5SSG-latest.txt   4 KB 1 version