ScreenOS Firewalls (NOT SRX)
Reply
Visitor
Vasily
Posts: 7
Registered: ‎07-29-2009
0

SSG550, ScreenOS 6.2r2 RTSP Problem

Hi!

 

I have a problem with SSG550 ScreenOS 6.2r2 when I try to use RTSP over PAT. ALG for RTSP is enabled and I using policy NAT. When I try to view RTSP with MIP address - it's ok, but when I do this with policy NAT (or PAT) it doesn't working.

Super Contributor
ELKIM
Posts: 227
Registered: ‎12-01-2008
0

Re: SSG550, ScreenOS 6.2r2 RTSP Problem

hi Vasily

 

Actually i dont know the detail about your problem. Please to execute debug command

 

clear db

debug nat rtsp debug nat gate
debug rm resource
debug flow basic

 

<generate RTSP traffic>

 

undebug all

 

get db str

 

 

btw how about if u disable the RSTP ALG ?

 

 

Thanks 

 

EL

Visitor
Vasily
Posts: 7
Registered: ‎07-29-2009
0

Re: SSG550, ScreenOS 6.2r2 RTSP Problem

Hi ELKIM,

 

Unfortunally I can't enable debug flow because I have a lot of traffic through our netscreen. I have tried to enable debug nat rtsp and I see rtsp traffic without any errors or warnings. This is my requests:

 

## 2009-08-21 12:46:23 : nat_rtsp_handler: entered: from 10.10.213.96 -> 74.125.77.177
## 2009-08-21 12:46:23 :

 

and remote replies:

 

## 2009-08-21 12:46:23 : nat_rtsp_handler: entered: from 74.125.77.177 -> address.from.PAT.pool

## 2009-08-21 12:46:23 :

 

I try RTSP with disabled ALG RTSP - result is same - it doesn't working.

 

Thank you for your reply!

 

BR, Vasily.

Super Contributor
ELKIM
Posts: 227
Registered: ‎12-01-2008
0

Re: SSG550, ScreenOS 6.2r2 RTSP Problem

hi,

 

Unfortunately you can not debug with flow basic option. if u mind, u can try to disable the reassembly-for-alg on all zones that RTSP traffic passes.

 

with debug flow basic we can determine that problem cause by nat reassembly  or not

 

****** 23831515.0: <UserZone/ethernet0/1.2> packet received [783]******
ipid = 30965(78f5), @2e5be914
packet passed sanity check.
ethernet0/1.2:192.168.202.13/1785->218.188.73.209/554,6<Root>
existing session found. sess token 30
flow got session.
flow session id 60958
vsd 0 is active
packet dropped, nat xlate reassembly

 

Thanks

 

EL

Visitor
Vasily
Posts: 7
Registered: ‎07-29-2009
0

Re: SSG550, ScreenOS 6.2r2 RTSP Problem

[ Edited ]

Thank you for a good advice. I did a debug and I see some interesting stuff: first phase is standart - tcp and RTSP negotiations, second - too many packets with:

 

****** 2188125.0: <SZ0/ethernet0/0.20> packet received [1216]******
  ipid = 41650(a2b2), @2d650114
  packet passed sanity check.
  flow_decap_vector IPv4 process
  ethernet0/0.20:74.125.77.177/10580->IP.from.PAT.pool/6970,17<Root>
  no session found
  flow_first_sanity_check: in <ethernet0/0.20>, out <N/A>
  chose interface ethernet0/0.20 as incoming nat if.
  packet dropped: for self but not interested

Message Edited by Vasily on 08-24-2009 07:19 AM
Super Contributor
Cesar
Posts: 141
Registered: ‎11-18-2008
0

Re: SSG550, ScreenOS 6.2r2 RTSP Problem

Is IP.from.PAT.pool configured on an interface of the firewall?
Visitor
Vasily
Posts: 7
Registered: ‎07-29-2009
0

Re: SSG550, ScreenOS 6.2r2 RTSP Problem

Yes, it's configured on interface as DIP. Following knowledge base recommedation - we a using Policy-based NAT
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.