ScreenOS Firewalls (NOT SRX)
Reply
Contributor
Lelle
Posts: 18
Registered: ‎06-10-2008
0
Accepted Solution

Routing in SSG320

Hi all,

I need some help with a routing issue in our new SSG320 (6.0.0.r5.0) all interface is in route mode. My setup is as follow, I have a setup with multiple wan links comming in i 2 routers in the same zone as the ssg trust interface, if a server in the trust zone have the ssg as default GW then a client behide one of the wan link is unable to create a session to the server (ping, traceroute etc works fine) if I change the default route in that server to one of the other routers everything works fine. I have  specified all my networks in the ssg (adresses) I have added the routes to the ssg with the correct gateway, dosnt matter as far as I can see, the strange thing is that with our old firewall (netscreen 204 v5.2.0r1.0) this setup worked fine. Anybody has any ide?

 

Best regards

 

Lennart Johansson 

Super Contributor
Nadia
Posts: 94
Registered: ‎11-06-2007
0

Re: Routing in SSG320

Hi Lelle,

If I understand correctly the traffic is within the Trust zone? Have you checked if perhaps you have intra-zone blocking turned on?

A quick way to see what is happening to the traffic when it reaches the firewall is to do a "debug flow basic" with filters if necessary (set ffilter).

 

Hope this helps,

Nadia

Contributor
Lelle
Posts: 18
Registered: ‎06-10-2008
0

Re: Routing in SSG320

block intra zone trafic is not enabled on the interface nor in the zone. debug tcp basic gives

****** 2561915.0: <Trust/ethernet0/0> packet received [1456]******
  ipid = 55979(daab), @0504ab74
  packet passed sanity check.
  ethernet0/0:10.1.245.71/2447->192.121.194.70/80,6<Root>
  existing session found. sess token 4
  flow got session.
  flow session id 47493
  tcp seq check.
  post addr xlation: 77.72.100.158->192.121.194.70.
 flow_send_vector_, vid = 0, is_layer2_if=0
****** 2561915.0: <Trust/ethernet0/0> packet received [532]******
  ipid = 55980(daac), @05033b74
  packet passed sanity check.
flow got session.
  flow session id 48013
  tcp seq check.
  post addr xlation: 213.153.117.10->10.1.245.37.
 flow_send_vector_, vid = 0, is_layer2_if=0
****** 2561915.0: <Untrust/ethernet0/2> packet received [1500]******
  ipid = 58100(e2f4), @048dc374
  packet passed sanity check.
  ethernet0/2:194.14.33.50/80->77.72.100.158/23210,6<Root>
  existing session found. sess token 6
  flow got session.
  flow session id 46650
  tcp seq check.
  post addr xlation: 194.14.33.50->10.1.244.25.
****** 2561915.0: <Untrust/ethernet0/2> packet received [1209]******
  ipid = 58101(e2f5), @048dfb74
  packet passed sanity check.
  ethernet0/2:194.14.33.50/80->77.72.100.158/23210,6<Root>
  existing session found. sess token 6
  flow got session.
  flow session id 46650
  tcp seq check.
151.197.227->10.255.254.10.
 flow_send_vector_, vid = 0, is_layer2_if=0
****** 2561916.0: <Trust/ethernet0/0> packet received [40]******
  ipid = 17369(43d9), @0497eb74
  packet passed sanity check.
  ethernet0/0:10.255.254.10/2739->194.151.197.227/80,6<Root>
  existing session found. sess token 4
  flow got session.
  flow session id 46553
  tcp seq check.
  post addr xlation: 77.72.100.158->194.151.197.227.
 flow_send_vector_, vid = 0, is_layer2_if=0
****** 2561916.0: <Trust/ethernet0/0> packet received [40]******
  ipid = 17378(43e2), @0496cb74
  packet passed sanity check.
  ethernet0/0:10.255.254.10/2739->194.151.197.227/80,6<Root>
  existing session found. sess token 4
  flow got session.
  flow session id 46553
  tcp seq check.
  post addr xlation: 77.72.100.158->194.151.197.227.
 flow_send_vector_, vid = 0, is_layer2_if=0
s_layer2_if=0
****** 2561918.0: <Untrust/ethernet0/2> packet received [1420]******
  ipid = 13168(3370), @04bbe374
  packet passed sanity check.
  ethernet0/2:213.153.117.10/80->77.72.100.158/21291,6<Root>
  existing session found. sess token 6
  flow got session.
  flow session id 46220
  tcp seq check.
  post addr xlation: 213.153.117.10->10.1.245.37.
 flow_send_vector_, vid = 0, is_layer2_if=0
****** 2561918.0: <Trust/ethernet0/0> packet received [40]******
  ipid = 45992(b3a8), @04bc9b74
  packet passed sanity check.
  ethernet0/0:10.1.245.37/2548->213.153.117.10/80,6<Root>
  existing session found. sess token 4
  flow got session.
  flow session id 46220
  tcp seq check.
  post addr xlation: 77.72.100.158->213.153.117.10.
 flow_send_vector_, vid = 0, is_layer2_if=0
****** 2561918.0: <Trust/ethernet0/0> packet received [40]******
227->10.255.254.10.
 flow_send_vector_, vid = 0, is_layer2_if=0
****** 2561919.0: <Untrust/ethernet0/2> packet received [1492]******
  ipid = 31471(7aef), @04c77374
  packet passed sanity check.
  ethernet0/2:194.151.197.227/80->77.72.100.158/23733,6<Root>
  existing session found. sess token 6
  flow got session.
  flow session id 46553
  tcp seq check.
  post addr xlation: 194.151.197.227->10.255.254.10.
 flow_send_vector_, vid = 0, is_layer2_if=0
****** 2561919.0: <Untrust/ethernet0/2> packet received [68]******
  ipid = 28049(6d91), @04c8a374
  packet passed sanity check.
  ethernet0/2:65.54.228.51/1863->77.72.100.158/21331,6<Root>
  existing session found. sess token 6
  flow got session.
  flow session id 47683
  av/uf/voip checking.
  asp vector processing state: 2
ASP inject packet from ethernet0/0
255.254.10/2739->194.151.197.227/80,6<Root>
  existing session found. sess token 4
  flow got session.
  flow session id 46553
  tcp seq check.
  post addr xlation: 77.72.100.158->194.151.197.227.
 flow_send_vector_, vid = 0, is_layer2_if=0
****** 2561920.0: <Trust/ethernet0/0> packet received [48]******
  ipid = 4372(1114), @04d8d374
  packet passed sanity check.
  ethernet0/0:10.1.5.20/1904->192.168.16.101/1352,6<Root>
  no session found
  flow_first_sanity_check: in <ethernet0/0>, out <N/A>
  chose interface ethernet0/0 as incoming nat if.
  flow_first_routing: in <ethernet0/0>, out <N/A>
  search route to (ethernet0/0, 10.1.5.20->192.168.16.101) in vr trust-vr for vsd-0/flag-0/ifp-null
  [ Dest] 44.route 192.168.16.101->10.1.5.4, to ethernet0/0
  routed (x_dst_ip 192.168.16.101) from ethernet0/0 (ethernet0/0 in 0) to ethernet0/0
  policy search from zone 2-> zone 2
 policy_flow_search  policy search nat_crt from zone 2-> zone 2
  RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 192.168.16.101, port 1352, proto 6)
  No SW RPC rule match, search HW rule
ion found. sess token 4
  flow got session.
  flow session id 46553
  tcp seq check.
  post addr xlation: 77.72.100.158->194.151.197.227.
 flow_send_vector_, vid = 0, is_layer2_if=0
****** 2561921.0: <Trust/ethernet0/0> packet received [40]******
  ipid = 20074(4e6a), @04f3b374
  packet passed sanity check.
  ethernet0/0:10.255.254.10/2739->194.151.197.227/80,6<Root>
  existing session found. sess token 4
  flow got session.
  flow session id 46553
  tcp seq check.
  post addr xlation: 77.72.100.158->194.151.197.227.
 flow_send_vector_, vid = 0, is_layer2_if=0
****** 2561921.0: <Trust/ethernet0/0> packet received [40]******
  ipid = 20075(4e6b), @04f52374
  packet passed sanity check.
  ethernet0/0:10.255.254.10/2739->194.151.197.227/80,6<Root>
  existing session found. sess token 4
  flow got session.
fw01-> get dbuf stream ?
>                    redirect output
|                    match output
<return>
all                  from all slots
<number>             percentage offset of debug buffer(0-99)
fw01-> get dbuf stream |10.1.5.107
                       ^-------------invalid number |10.1.5.107
fw01-> get dbuf stream | ?
exclude              exclude pattern
include              include pattern
fw01-> get dbuf stream | in
include              include pattern
fw01-> get dbuf stream | include ?
<string>             regular expression
fw01-> get dbuf stream | include 10.1.5.107
fw01-> get dbuf stream | include 10.1.5.107
  ethernet0/0:10.1.5.107/1024->10.3.1.163/18432,1(0/0)<Root>
  search route to (ethernet0/0, 10.1.5.107->10.3.1.163) in vr trust-vr for vsd-0/flag-0/ifp-null
  search route to (ethernet0/0, 10.3.1.163->10.1.5.107) in vr trust-vr for vsd-0/flag-3000/ifp-ethernet0/0
  [ Dest] 32.route 10.1.5.107->10.1.5.107, to ethernet0/0
  route to 10.1.5.107
  arp entry found for 10.1.5.107
  post addr xlation: 10.1.5.107->10.3.1.163.
fw01-> get dbuf stream | include 10.1.5.107
fw01-> get dbuf stream | include 10.1.5.107
fw01-> get dbuf stream | include 10.1.5.107
fw01-> get dbuf stream | include 10.1.5.107
fw01-> get dbuf stream | include 10.1.5.107
fw01-> get dbuf stream | include 10.1.5.107
fw01-> get dbuf stream | include 10.1.5.107
  ethernet0/0:10.1.5.107/3815->10.12.1.25/80,6, 5004(rst)<Root>
fw01-> get dbuf stream | include 10.1.5.107
fw01-> get dbuf stream | include 10.1.5.107
fw01-> get dbuf stream | include 10.1.5.107
fw01-> get dbuf stream | include 10.1.5.107
fw01-> get dbuf stream | include 10.1.5.107
fw01-> get dbuf stream | include 10.1.5.107
fw01-> get dbuf stream | include 10.1.5.107
fw01-> get dbuf stream | include 10.1.5.107
fw01-> get dbuf stream | include 10.1.5.107
fw01-> get dbuf stream | include 10.1.5.107
fw01-> get dbuf stream | include 10.1.5.107
fw01-> get dbuf stream | include 10.1.5.107
fw01-> get dbuf stream | include 10.1.5.107
  ethernet0/0:10.1.5.107/3389->10.3.1.163/1998,6<Root>
**** jump to packet:10.3.1.163->10.1.5.107
  flow_ip_send: 5f76:10.3.1.163->10.1.5.107,6 => ethernet0/0(40) flag 0x0, vlan 0
  search route to (null, 0.0.0.0->10.1.5.107) in vr trust-vr for vsd-0/flag-2000/ifp-ethernet0/0
  [ Dest] 32.route 10.1.5.107->10.1.5.107, to ethernet0/0
  route to 10.1.5.107
  arp entry found for 10.1.5.107 mac 0019bb253ca5
fw01-> get dbuf stream | include 10.1.5.107
fw01->
fw01-> get dbuf stream | include 10.1.5.107
  ethernet0/0:10.1.5.107/3835->10.22.1.25/80,6, 5004(rst)<Root>
fw01-> get dbuf stream | include 10.1.5.107
fw01->
fw01-> get dbuf stream | include 10.1.5.107
fw01-> get dbuf stream | include 10.1.5.107
fw01-> get dbuf stream | include 10.1.5.107
  ethernet0/0:10.1.5.107/3389->10.3.1.163/1999,6<Root>
**** jump to packet:10.3.1.163->10.1.5.107
  flow_ip_send: 5b55:10.3.1.163->10.1.5.107,6 => ethernet0/0(40) flag 0x0, vlan 0
  search route to (null, 0.0.0.0->10.1.5.107) in vr trust-vr for vsd-0/flag-2000/ifp-ethernet0/0
  [ Dest] 32.route 10.1.5.107->10.1.5.107, to ethernet0/0
  route to 10.1.5.107
  arp entry found for 10.1.5.107 mac 0019bb253ca5
fw01-> get dbuf stream | include 10.1.5.107
fw01->

 

Where the client has 10.3.1.163 and the server got 10.1.5.107 and I'm trying to use rdp (tcp 3389) 

Any suggestions?

Best regards

 

Lelle 

Contributor
Lelle
Posts: 18
Registered: ‎06-10-2008
0

Re: Routing in SSG320

Sorry for my last post, didnt notice how much I pasted in. but here is som debug output

Now I'm trying to to rdp to 10.1.5.107 and this is what is getting caught i my filter

 

**** jump to packet:10.3.1.163->10.1.5.107
  skipping pre-frag
  no more encapping needed
  send out through normal path.
  flow_ip_send: d941:10.3.1.163->10.1.5.107,6 => ethernet0/0(40) flag 0x0, vlan 0
  no l2info for packet.
  no route for packet
  search route to (null, 0.0.0.0->10.1.5.107) in vr trust-vr for vsd-0/flag-2000/ifp-ethernet0/0
  [ Dest] 32.route 10.1.5.107->10.1.5.107, to ethernet0/0
  route to 10.1.5.107
  arp entry found for 10.1.5.107 mac 0019bb253ca5
  **** pak processing end.
  packet dropped, first pak not sync
 ******************************END DEBUG**************

 

I have disabled " If TCP non SYN, send RESET back" in the trust zone didnt help

 

Best regards

 

Lelle 

Trusted Expert
Kashif-rana
Posts: 417
Registered: ‎01-29-2008
0

Re: Routing in SSG320

Hi,

 

can u clear ur topology more to me????

Kashif Rana
JNCIE-SEC, JNCIE-ENT, JNCIE-SP, JNCIS(FWV,SSL),JNCIA(IDP,AC,WX),BIG IP-F5-LTM, CCNP
----------------------------------------------------------------------------------------------------------------------------------------

If this post was helpful, please mark this post as an "Accepted Solution".Kudos are always appreciated!
Super Contributor
Nadia
Posts: 94
Registered: ‎11-06-2007
0

Re: Routing in SSG320

Looking at your last debug, the message "packet dropped, first pak not sync" refers to the fact that the first packet received for this tcp session is not a SYN packet so it is getting dropped.

Do you have the following command in your configuration? "set flow tcp-syn-check"?

 

Thanks,

Nadia

Contributor
Lelle
Posts: 18
Registered: ‎06-10-2008
0

Re: Routing in SSG320

[ Edited ]

That did the trick, thanks a lot for your time, help and effort

 

Best regards

(from a much happier)

 

Lennart Johansson

Message Edited by Lelle on 06-11-2008 12:48 PM
New User
steven_hoo
Posts: 1
Registered: ‎08-13-2008
0

Re: Routing in SSG320

Hi Nadia, 

 

Is there another way to solve this problem besides unset flow tcp-syn-check? How to explain to user regarding this problem?

 

Software issue? 

 

Thks

 

Regards,

 

Steven Hoo

Contributor
littlezip
Posts: 98
Registered: ‎01-09-2009
0

Re: Routing in SSG320

I want to know why the first packet received for this tcp session is not a SYN packet ?

 

could anybody explain it ?

 

thanks!

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.