Screen OS

last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.

  • 1.  Troubles with ALGs after upgrade to ScreenOS6.1

    Posted 05-11-2009 22:26

    Hi there,

     

    today we ran into a little problem with ALGs when we upgraded our ISG2000 Cluster from
    5.3.0r3.0 to 6.1.0r5.0

     

    One application that uses TCP2000 stopped working after the upgrade - only when we disabled all ALGs that were new (or no longer hidden?) in 6.1 it worked again.

     

    could someone tell me where to get more detailed info on the "internals" of those ALGs?

     

    these are ALG status right after the upgrade

    FWCl3:TMA_OAM_21(B)-> get alg
    DNS          ALG : enabled
    FTP          ALG : enabled
    H323         ALG : enabled
    HTTP         ALG : enabled
    MGCP         ALG : enabled
    MSRPC        ALG : enabled
    PPTP         ALG : disabled
    REAL         ALG : enabled
    RSH          ALG : enabled
    RTSP         ALG : enabled
    SCCP         ALG : enabled
    SCTP         ALG : disabled
    APPLEICHAT   ALG : disabled
    SIP          ALG : enabled
    SQL          ALG : enabled
    SUNRPC       ALG : enabled
    TALK         ALG : enabled
    TFTP         ALG : enabled
    XING         ALG : enabled

     

    after comparing it with the other node (running the old version) we disabled the following ALGs

    FWCl3:TMA_OAM_21(B)-> unset alg dns enable
    FWCl3:TMA_OAM_21(B)-> unset alg ftp enable
    FWCl3:TMA_OAM_21(B)-> unset alg http enab
    FWCl3:TMA_OAM_21(B)-> unset alg pptp ena
    FWCl3:TMA_OAM_21(B)-> unset alg real ena
    FWCl3:TMA_OAM_21(B)-> unset alg rsh ena
    FWCl3:TMA_OAM_21(B)-> unset alg sccp ena
    FWCl3:TMA_OAM_21(B)-> unset alg sctp ena
    FWCl3:TMA_OAM_21(B)-> unset alg appleichat ena
    FWCl3:TMA_OAM_21(B)-> unset alg talk ena     
    FWCl3:TMA_OAM_21(B)-> unset alg tftp ena
    FWCl3:TMA_OAM_21(B)-> unset alg xing ena

     

    so now - we dont know which ALG really broke the application... thats why I'm looking for more detailed info on them

     

    thanks

     



  • 2.  RE: Troubles with ALGs after upgrade to ScreenOS6.1
    Best Answer

    Posted 05-12-2009 04:00

    TCP 2000 sounds like Cisco Skinny

     

    (I assume you are using VoIP with Cisco. If not the ALG SCCP could be triggered when an application is using TCP 2000)

     

    So disabling the SCCP ALG should be sufficient.

    Message Edited by hagbard on 05-12-2009 04:02 AM


  • 3.  RE: Troubles with ALGs after upgrade to ScreenOS6.1

    Posted 05-12-2009 04:41

    Thanks alot - in deed it was the SCCP ALG (should have traced that with debug...;))

     

    Besides - its not VoIP we are using, its a Remedy Application that uses this port