08-11-2010 05:14 PM
The policy is what has the mip in use. To rebuild you'll need to remove the policy first.
11-01-2010 03:09 PM
Finally getting back to this. After some further research I see that the NetScreen log shows entries for Close reason : Close - TCP Fin. On the client I get errors 800 and 721. Research indicates that this is the result of the firewall not allowing GRE protocoal traffic on 47 and TCP traffic on 1723.
For the record I spoke with a Juniper tech support rep earlier who helped me with this. It was not til after I hung up that I did some more research and suspect the firewall is the problem and the RRAS server. The ticket # is 201011010644.
Do I open those ports from the policy that relates to the MIP or do I it globally? How do I verify the correct ports are open?
11-01-2010 03:34 PM
I went into the Policy and ensured GRE, PPTP, and TCP all were allowed. I tried to connect again and instead a new close reason of Close - TCP RST from 2 different services, SQL*NET V2 and PPTP. Research on Juniper forums indicates that
Dsabling SQL ALG may solve the issue
FW> get alg ( to see the list of ALGs )
FW> unset alg SQL enable
FW > save
11-02-2010 03:55 AM
It does sound like you are hitting the alg by accident. The log message is saying that the traffic is being identified by the firewall as meeting that profile. If it is really not sql alg traffic this will cause problems so you can disable the alg to let the traffic pass unprocessed.
11-03-2010 03:48 PM
The actual problem was in the policy set up for the MIP that would allow VPN traffic for GRE and PPTP traffic. In the setting for the policy the Application field needed to be set to IGNORE.