Screen OS

last person joined: 7 months ago 

This is a legacy community with limited Juniper monitoring.
  • 1.  Routing in SSG320

    Posted 06-11-2008 02:08

    Hi all,

    I need some help with a routing issue in our new SSG320 (6.0.0.r5.0) all interface is in route mode. My setup is as follow, I have a setup with multiple wan links comming in i 2 routers in the same zone as the ssg trust interface, if a server in the trust zone have the ssg as default GW then a client behide one of the wan link is unable to create a session to the server (ping, traceroute etc works fine) if I change the default route in that server to one of the other routers everything works fine. I have  specified all my networks in the ssg (adresses) I have added the routes to the ssg with the correct gateway, dosnt matter as far as I can see, the strange thing is that with our old firewall (netscreen 204 v5.2.0r1.0) this setup worked fine. Anybody has any ide?

     

    Best regards

     

    Lennart Johansson 



  • 2.  RE: Routing in SSG320

    Posted 06-11-2008 02:31

    Hi Lelle,

    If I understand correctly the traffic is within the Trust zone? Have you checked if perhaps you have intra-zone blocking turned on?

    A quick way to see what is happening to the traffic when it reaches the firewall is to do a "debug flow basic" with filters if necessary (set ffilter).

     

    Hope this helps,

    Nadia



  • 3.  RE: Routing in SSG320

    Posted 06-11-2008 04:03

    block intra zone trafic is not enabled on the interface nor in the zone. debug tcp basic gives

    ****** 2561915.0: <Trust/ethernet0/0> packet received [1456]******
      ipid = 55979(daab), @0504ab74
      packet passed sanity check.
      ethernet0/0:10.1.245.71/2447->192.121.194.70/80,6<Root>
      existing session found. sess token 4
      flow got session.
      flow session id 47493
      tcp seq check.
      post addr xlation: 77.72.100.158->192.121.194.70.
     flow_send_vector_, vid = 0, is_layer2_if=0
    ****** 2561915.0: <Trust/ethernet0/0> packet received [532]******
      ipid = 55980(daac), @05033b74
      packet passed sanity check.
    flow got session.
      flow session id 48013
      tcp seq check.
      post addr xlation: 213.153.117.10->10.1.245.37.
     flow_send_vector_, vid = 0, is_layer2_if=0
    ****** 2561915.0: <Untrust/ethernet0/2> packet received [1500]******
      ipid = 58100(e2f4), @048dc374
      packet passed sanity check.
      ethernet0/2:194.14.33.50/80->77.72.100.158/23210,6<Root>
      existing session found. sess token 6
      flow got session.
      flow session id 46650
      tcp seq check.
      post addr xlation: 194.14.33.50->10.1.244.25.
    ****** 2561915.0: <Untrust/ethernet0/2> packet received [1209]******
      ipid = 58101(e2f5), @048dfb74
      packet passed sanity check.
      ethernet0/2:194.14.33.50/80->77.72.100.158/23210,6<Root>
      existing session found. sess token 6
      flow got session.
      flow session id 46650
      tcp seq check.
    151.197.227->10.255.254.10.
     flow_send_vector_, vid = 0, is_layer2_if=0
    ****** 2561916.0: <Trust/ethernet0/0> packet received [40]******
      ipid = 17369(43d9), @0497eb74
      packet passed sanity check.
      ethernet0/0:10.255.254.10/2739->194.151.197.227/80,6<Root>
      existing session found. sess token 4
      flow got session.
      flow session id 46553
      tcp seq check.
      post addr xlation: 77.72.100.158->194.151.197.227.
     flow_send_vector_, vid = 0, is_layer2_if=0
    ****** 2561916.0: <Trust/ethernet0/0> packet received [40]******
      ipid = 17378(43e2), @0496cb74
      packet passed sanity check.
      ethernet0/0:10.255.254.10/2739->194.151.197.227/80,6<Root>
      existing session found. sess token 4
      flow got session.
      flow session id 46553
      tcp seq check.
      post addr xlation: 77.72.100.158->194.151.197.227.
     flow_send_vector_, vid = 0, is_layer2_if=0
    s_layer2_if=0
    ****** 2561918.0: <Untrust/ethernet0/2> packet received [1420]******
      ipid = 13168(3370), @04bbe374
      packet passed sanity check.
      ethernet0/2:213.153.117.10/80->77.72.100.158/21291,6<Root>
      existing session found. sess token 6
      flow got session.
      flow session id 46220
      tcp seq check.
      post addr xlation: 213.153.117.10->10.1.245.37.
     flow_send_vector_, vid = 0, is_layer2_if=0
    ****** 2561918.0: <Trust/ethernet0/0> packet received [40]******
      ipid = 45992(b3a8), @04bc9b74
      packet passed sanity check.
      ethernet0/0:10.1.245.37/2548->213.153.117.10/80,6<Root>
      existing session found. sess token 4
      flow got session.
      flow session id 46220
      tcp seq check.
      post addr xlation: 77.72.100.158->213.153.117.10.
     flow_send_vector_, vid = 0, is_layer2_if=0
    ****** 2561918.0: <Trust/ethernet0/0> packet received [40]******
    227->10.255.254.10.
     flow_send_vector_, vid = 0, is_layer2_if=0
    ****** 2561919.0: <Untrust/ethernet0/2> packet received [1492]******
      ipid = 31471(7aef), @04c77374
      packet passed sanity check.
      ethernet0/2:194.151.197.227/80->77.72.100.158/23733,6<Root>
      existing session found. sess token 6
      flow got session.
      flow session id 46553
      tcp seq check.
      post addr xlation: 194.151.197.227->10.255.254.10.
     flow_send_vector_, vid = 0, is_layer2_if=0
    ****** 2561919.0: <Untrust/ethernet0/2> packet received [68]******
      ipid = 28049(6d91), @04c8a374
      packet passed sanity check.
      ethernet0/2:65.54.228.51/1863->77.72.100.158/21331,6<Root>
      existing session found. sess token 6
      flow got session.
      flow session id 47683
      av/uf/voip checking.
      asp vector processing state: 2
    ASP inject packet from ethernet0/0
    255.254.10/2739->194.151.197.227/80,6<Root>
      existing session found. sess token 4
      flow got session.
      flow session id 46553
      tcp seq check.
      post addr xlation: 77.72.100.158->194.151.197.227.
     flow_send_vector_, vid = 0, is_layer2_if=0
    ****** 2561920.0: <Trust/ethernet0/0> packet received [48]******
      ipid = 4372(1114), @04d8d374
      packet passed sanity check.
      ethernet0/0:10.1.5.20/1904->192.168.16.101/1352,6<Root>
      no session found
      flow_first_sanity_check: in <ethernet0/0>, out <N/A>
      chose interface ethernet0/0 as incoming nat if.
      flow_first_routing: in <ethernet0/0>, out <N/A>
      search route to (ethernet0/0, 10.1.5.20->192.168.16.101) in vr trust-vr for vsd-0/flag-0/ifp-null
      [ Dest] 44.route 192.168.16.101->10.1.5.4, to ethernet0/0
      routed (x_dst_ip 192.168.16.101) from ethernet0/0 (ethernet0/0 in 0) to ethernet0/0
      policy search from zone 2-> zone 2
     policy_flow_search  policy search nat_crt from zone 2-> zone 2
      RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 192.168.16.101, port 1352, proto 6)
      No SW RPC rule match, search HW rule
    ion found. sess token 4
      flow got session.
      flow session id 46553
      tcp seq check.
      post addr xlation: 77.72.100.158->194.151.197.227.
     flow_send_vector_, vid = 0, is_layer2_if=0
    ****** 2561921.0: <Trust/ethernet0/0> packet received [40]******
      ipid = 20074(4e6a), @04f3b374
      packet passed sanity check.
      ethernet0/0:10.255.254.10/2739->194.151.197.227/80,6<Root>
      existing session found. sess token 4
      flow got session.
      flow session id 46553
      tcp seq check.
      post addr xlation: 77.72.100.158->194.151.197.227.
     flow_send_vector_, vid = 0, is_layer2_if=0
    ****** 2561921.0: <Trust/ethernet0/0> packet received [40]******
      ipid = 20075(4e6b), @04f52374
      packet passed sanity check.
      ethernet0/0:10.255.254.10/2739->194.151.197.227/80,6<Root>
      existing session found. sess token 4
      flow got session.
    fw01-> get dbuf stream ?
    >                    redirect output
    |                    match output
    <return>
    all                  from all slots
    <number>             percentage offset of debug buffer(0-99)
    fw01-> get dbuf stream |10.1.5.107
                           ^-------------invalid number |10.1.5.107
    fw01-> get dbuf stream | ?
    exclude              exclude pattern
    include              include pattern
    fw01-> get dbuf stream | in
    include              include pattern
    fw01-> get dbuf stream | include ?
    <string>             regular expression
    fw01-> get dbuf stream | include 10.1.5.107
    fw01-> get dbuf stream | include 10.1.5.107
      ethernet0/0:10.1.5.107/1024->10.3.1.163/18432,1(0/0)<Root>
      search route to (ethernet0/0, 10.1.5.107->10.3.1.163) in vr trust-vr for vsd-0/flag-0/ifp-null
      search route to (ethernet0/0, 10.3.1.163->10.1.5.107) in vr trust-vr for vsd-0/flag-3000/ifp-ethernet0/0
      [ Dest] 32.route 10.1.5.107->10.1.5.107, to ethernet0/0
      route to 10.1.5.107
      arp entry found for 10.1.5.107
      post addr xlation: 10.1.5.107->10.3.1.163.
    fw01-> get dbuf stream | include 10.1.5.107
    fw01-> get dbuf stream | include 10.1.5.107
    fw01-> get dbuf stream | include 10.1.5.107
    fw01-> get dbuf stream | include 10.1.5.107
    fw01-> get dbuf stream | include 10.1.5.107
    fw01-> get dbuf stream | include 10.1.5.107
    fw01-> get dbuf stream | include 10.1.5.107
      ethernet0/0:10.1.5.107/3815->10.12.1.25/80,6, 5004(rst)<Root>
    fw01-> get dbuf stream | include 10.1.5.107
    fw01-> get dbuf stream | include 10.1.5.107
    fw01-> get dbuf stream | include 10.1.5.107
    fw01-> get dbuf stream | include 10.1.5.107
    fw01-> get dbuf stream | include 10.1.5.107
    fw01-> get dbuf stream | include 10.1.5.107
    fw01-> get dbuf stream | include 10.1.5.107
    fw01-> get dbuf stream | include 10.1.5.107
    fw01-> get dbuf stream | include 10.1.5.107
    fw01-> get dbuf stream | include 10.1.5.107
    fw01-> get dbuf stream | include 10.1.5.107
    fw01-> get dbuf stream | include 10.1.5.107
    fw01-> get dbuf stream | include 10.1.5.107
      ethernet0/0:10.1.5.107/3389->10.3.1.163/1998,6<Root>
    **** jump to packet:10.3.1.163->10.1.5.107
      flow_ip_send: 5f76:10.3.1.163->10.1.5.107,6 => ethernet0/0(40) flag 0x0, vlan 0
      search route to (null, 0.0.0.0->10.1.5.107) in vr trust-vr for vsd-0/flag-2000/ifp-ethernet0/0
      [ Dest] 32.route 10.1.5.107->10.1.5.107, to ethernet0/0
      route to 10.1.5.107
      arp entry found for 10.1.5.107 mac 0019bb253ca5
    fw01-> get dbuf stream | include 10.1.5.107
    fw01->
    fw01-> get dbuf stream | include 10.1.5.107
      ethernet0/0:10.1.5.107/3835->10.22.1.25/80,6, 5004(rst)<Root>
    fw01-> get dbuf stream | include 10.1.5.107
    fw01->
    fw01-> get dbuf stream | include 10.1.5.107
    fw01-> get dbuf stream | include 10.1.5.107
    fw01-> get dbuf stream | include 10.1.5.107
      ethernet0/0:10.1.5.107/3389->10.3.1.163/1999,6<Root>
    **** jump to packet:10.3.1.163->10.1.5.107
      flow_ip_send: 5b55:10.3.1.163->10.1.5.107,6 => ethernet0/0(40) flag 0x0, vlan 0
      search route to (null, 0.0.0.0->10.1.5.107) in vr trust-vr for vsd-0/flag-2000/ifp-ethernet0/0
      [ Dest] 32.route 10.1.5.107->10.1.5.107, to ethernet0/0
      route to 10.1.5.107
      arp entry found for 10.1.5.107 mac 0019bb253ca5
    fw01-> get dbuf stream | include 10.1.5.107
    fw01->

     

    Where the client has 10.3.1.163 and the server got 10.1.5.107 and I'm trying to use rdp (tcp 3389) 

    Any suggestions?

    Best regards

     

    Lelle 



  • 4.  RE: Routing in SSG320

    Posted 06-11-2008 04:22

    Sorry for my last post, didnt notice how much I pasted in. but here is som debug output

    Now I'm trying to to rdp to 10.1.5.107 and this is what is getting caught i my filter

     

    **** jump to packet:10.3.1.163->10.1.5.107
      skipping pre-frag
      no more encapping needed
      send out through normal path.
      flow_ip_send: d941:10.3.1.163->10.1.5.107,6 => ethernet0/0(40) flag 0x0, vlan 0
      no l2info for packet.
      no route for packet
      search route to (null, 0.0.0.0->10.1.5.107) in vr trust-vr for vsd-0/flag-2000/ifp-ethernet0/0
      [ Dest] 32.route 10.1.5.107->10.1.5.107, to ethernet0/0
      route to 10.1.5.107
      arp entry found for 10.1.5.107 mac 0019bb253ca5
      **** pak processing end.
      packet dropped, first pak not sync
     ******************************END DEBUG**************

     

    I have disabled " If TCP non SYN, send RESET back" in the trust zone didnt help

     

    Best regards

     

    Lelle 



  • 5.  RE: Routing in SSG320

    Posted 06-11-2008 04:51

    Hi,

     

    can u clear ur topology more to me????



  • 6.  RE: Routing in SSG320
    Best Answer

    Posted 06-11-2008 04:55

    Looking at your last debug, the message "packet dropped, first pak not sync" refers to the fact that the first packet received for this tcp session is not a SYN packet so it is getting dropped.

    Do you have the following command in your configuration? "set flow tcp-syn-check"?

     

    Thanks,

    Nadia



  • 7.  RE: Routing in SSG320

    Posted 06-11-2008 12:46

    That did the trick, thanks a lot for your time, help and effort

     

    Best regards

    (from a much happier)

     

    Lennart Johansson

    Message Edited by Lelle on 06-11-2008 12:48 PM


  • 8.  RE: Routing in SSG320

    Posted 08-13-2008 07:20

    Hi Nadia, 

     

    Is there another way to solve this problem besides unset flow tcp-syn-check? How to explain to user regarding this problem?

     

    Software issue? 

     

    Thks

     

    Regards,

     

    Steven Hoo



  • 9.  RE: Routing in SSG320

    Posted 03-08-2009 08:25

    I want to know why the first packet received for this tcp session is not a SYN packet ?

     

    could anybody explain it ?

     

    thanks!