Screen OS

I have a SSG520 with multiple 2T1 PIC card in it. Each port is going to a point to point T1 to another SSG 20 with a T1 port.

How is the settings configured to allow routing on this?

The main trust interface of the 520 is 10.10.1.1 and the one on the SSG20 is 10.100.1.1. When I connect the crossover T1 in our test lab, the link is up but will not let me setup an IP.

Anyone have a document on this? Thank you.

Couple of questions. First, did you put serial interface in a zone? Second, what encapsulation are doing (PPP, frame relay, etc.)? You need to configure these before you can assign an IP address to the T1. Also check out this application note.

http://kb.juniper.net/kb/documents/public/kbdocs/BK9398/SSG_WAN-LAN_Configuration_v1_0.pdf

It may not be exactly what you are doing but should help give you some guidance.

-Richard

I removed the bgroup interfaces (bad?) and IP on the ssg20 and then put the T1 into the Trust zone. When no encapsulation, the link is up but as soon as I create a /30 PPP network on it, the T1 link drops which is where I am stuck.

Thank you for the guide. It is a step in the right direction.

That guide that Richard references and of course wrote is a great place for this type of information. 

A couple of things to remember in your check list. This setup is identical on both sides.

1.) Make sure that a PPP profile was created and define as a static-ip. 

2.) Make sure that the PPP profile is bound to the serial interface.

3.) Verify that the PPP session is up and that LCP and IPCP are opened.

This is one of my configs I pulled off of one of my SSGs. Just change the ppp profile name to fit whatever you wish to define as a name, and of course place the serial interface into the trust zone.

Your config should look something like this.

set int s1/0 zone trust

set interface "serial1/0" encap ppp

set int s1/0 ip x.x.x.x/x
set ppp profile "level3"
set ppp profile "level3" static-ip
set interface "serial1/0" ppp profile level3

ssg01-> get int s1/0 ppp
LCP   : OPENED
IPCP  : OPENED
Keep alive interval     : 10
Keep alive down counter : 3
Binding profile :  level3 

ssg01-> get ppp profile level3
PPP Profile: level3
  Authentication:
    Type:  disabled
  Netmask: 255.255.255.255
  Static-ip: Enabled
  Passive: Disabled
  NCP: ipcp-only
  Involved interface( 1 😞 serial1/0

One other thing to check.  In a lab setup, where will your T1 circuit get its clocking information.  The T1 is a synchronous transmission facility.  This circuit will need to get timing information.  You could configure one of the SSGs to provide internal timing, and see if this helps as well. The second SSG will pull its timing information from the other SSG then. Remember to set it back to external when you go into production.  Your ISP will usually provide the timing information.

So try adding this to one of the SSGs in your cross over connection in the lab. 

set interface s1/0 clocking internal  

---

@shadow wrote:

 

set int s1/0 zone trust

set interface "serial1/0" encap ppp

set int s1/0 ip x.x.x.x/x
set ppp profile "level3"
set ppp profile "level3" static-ip
set interface "serial1/0" ppp profile level3

 

---

The only thing I do not follow is the PPP profiles. I have 7 P2P T1s from the main location to SSG20's. Do I need a profile for each one on the main site or can I simply duplicate the level3 one in your example?

Thanks again

As long as the individual serial interfaces are using the same type of PPP options ( static, no auth, etc )  I see no reason why you shouldnt be able to use the same profile.  I checked it on a test juniper and the command didn't complain when I bound the same profile to multiple serial interfaces. 

SSG550->  get ppp profile level3

PPP Profile: level3
  Authentication:
    Type:  disabled
  Netmask: 255.255.255.255
  Static-ip: Enabled
  Passive: Disabled
  NCP: ipcp-only
  Involved interface( 2 😞 serial1/0  serial2/0

Good to know. Thank you for your help. Worked perfectly.