07-31-2008 07:08 AM
I have a older 5GT set up on my network. when I try to map to a windows 2000 server I get an error.(the connection cannot be restored)
I've set up logging on the interface, what should I be looking for?
PS the unit is natted and works connecting to windows 2003, Novell, XP and Unix machines.
08-03-2008 11:24 PM
- What ScreenOS version is the 5GT running?
- Are you using the *same* client (that works to the Windows 2003 svr) to connect to the Windows 2000 server?
- Can you display the policy that you created for that communication, i.e. get policy id <id>?
- Can you capture the following debug:
undebug all (to turn off any debugs)
set ff src-ip x.x.x.x (where x.x.x.x is IP of client; this flow filter will capture packets transmitted by the client)
set ff src-ip y.y.y.y (where y.y.y.y is IP of win 2000 server; this flow filter will capture packets transmitted by the win 2000 svr)
debug flow basic
<Then have problematic client try to connect to Win 2000 server>
undebug all (do this immediately when you get the error so the debug buffer is not overwritten)
get db stream (to view the debug buffer)
08-04-2008 07:45 PM
If its anything like a problem I have been having thats just one of the symptoms of the problem. I wasn't able to find a fix and am still waiting for support to get back to me... 2 weeks and counting.
From what I could tell in my case it had something to do with the Juniper (ssg5 6.0.0r5.0) dropping net bios and DNS info. Dropping as in it never gets to any of the policies/logs even the debug isn't show it. Wireshark shows that its getting to the Juniper though. The problem only effected 2 of the ten computers I tested. I will put my setup below incase it helps someone.
eth0/0 ip 192.168.1.253/24 gw 192.168.1.254 custom zone one.
eth0/1 ip 192.168.2.254/24 custom zone 2. DHCP server. DNS server 192.168.1.254
I have a switch connected to each port.
The computers that have problems (1 of 2 servers (win 2003) and 1 of ten identical laptops(xp)) can't have their shares accessed across the juniper. They can be pinged via ip address and websites that they are hosting (for testing) can be accessed. There is no problem accessing them if the trafic is not going across the Juniper. Wasn't able to move the server but for the lap top it didn't matter which side of the juniper it was connected to the problem still existed for cross juniper trafic.
Also when testing from the laptop when it was getting its DHCP from the Juniper it could not resolve ANY DNS or netbios queries. Nothing at all would show in any of the policies etc. Manually setting the wins server and dns server and even editing the hosts file (for local shares access) made no difference - could ping the name but not connect to it for file access. However I could browse via ip address with no probelms even to access shares on the DNS server. (That trafic showed in the policies. Same policy any any accept)
However if you set its ip info manually with an external DNS server then it worked. (remember that it was only 1 out of 10 laptops that showed this problem all the others worked fine.)
You can still access other computers shares from the computers that are displaying the problem. However if your getting your dhcp from the Juniper then you need to use ip addresses instead of names.
As it stands at the moment I have had to take the Juniper out as the customer required access to the shares on the server.
Not sure if that will help any one or if its even the same problem but its good to have it off my chest :-).