Modifying Subnet -> Routing problem

‎07-21-2010 04:41 AM

Hey guys and girls,

I'm writing to you, because I'm running out of time a bit, so I can't search for myself, it could be take too much time (yes, I or me and my co-worker are in serious time trouble ;).

So here are the facts:
We had to change a local network from /24 to /23 because the company is growing and growing and growing.
Unfortunately, nobody else then the management knows anything about pushing the "businessplan" harder and faster as all the time before. So, we were a little bit surprised, when to order came to install 30 Workspaces (PCs, Laptops, Accesspoints, Networkprinters...) at beginning of Aug 2010. So we're running out of IPs in our local network very much earlier the expected. The original timetable to switch the network is now rescheduled from dec 2010 to 8/1/2010...

We altered the dhcp-server settings. The old range from -, Subnetmask, network
The new settings: -, Subnetmask, network Addresses are distributed normally, the internal communication is working fine.

So, here comes my problem.

The gateway interface on ethernet 0/0 has the address With this setting, all clients in the 41-network can access the internet. The clients in the 40-network can't access the internet.

We're using a Juniper SSG140
Firmware: 6.1.0r1.0 (Firewall+VPN)

My first plan was changing the the /24 to /23. What then happened was a totally mess, all the client's in the 41-subnet can't access the internet anymore, but all in the 40s can (a handful of machines for testing purpose) and the VPN tunnel breaked down (a crowd with dung fokrs and torches was running to our office.. 😉 ). After switching back, all worked fine, as before.


One thought is, that this may be a routing problem.


My background: I didn't set up the juniper, but now I have to managed it and I'm still learning.

So, if you have any ideas, links etc. or you may assist me here, it would be very helpful, because I'm running massively out of time.
Thanks to the almighty, allgloriuos, geniuses, allpowerfull, magnificent (blah blah blah...) wisdom of the management for NOT talking to the IT-staff....

So guys, it would be glad if you can supply me with (helpful) information's.


yours Chris (trying not to became crazy when spotting.... 😉 )


Re: Modifying Subnet -> Routing problem

‎07-21-2010 05:02 AM

The change in the network segment size is interlocked with the internet access policy and the vpn connection.


When expanding the scope of your trust network from /24 to /23 all these areas should be updated.


  • The network segment assigned to the interface in the trust zone.  (whatever ip you assign to this interface is your default gateway for dhcp for the entire new /23 network)  This can stay the same IP as before or you can move it to the bottom/top of your expanded range.
  • Update dhcp with the new scope and yes you need the new mask or the machines will not talk to each other properly in addition to not getting out to the internet.  Change the gateway if you changed the interface address.
  • Change your network segment policy object to the new /23 range this will allow your internet policies to work for the larger segment.
  • VPN maybe using this same object and that will break when you change the network segment.  To fix this the other side of the VPN tunnel must also change to the new network scope.  This will be on the firewall for the remote site that connects to your site with the expanded network.  And there will be downtime during this transition.


Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)

Re: Modifying Subnet -> Routing problem

‎07-22-2010 12:06 AM

Hi Steve,


the dhcp thing (scope, suffix and so on) is clear. We modified also the policies for the zones "trust to untrust". Allow more than needed shouldn't be a problem in this special case. Now my questions as newbie (yes, I wish I could have spent more time for reading the manual, doing some training form specialists ... 😉 😞 What do you mean with "network segment policy"? What is it called in the netscreen WebUI? With that I can do more specific research and I am a step closer to understand the netscreen device 😉


Thanks for your previous answer!







Re: Modifying Subnet -> Routing problem

‎07-22-2010 04:30 AM

Sorry, that was sloppy "network segment policy object" should have been "Policy address object".  This is a sub section in the web ui


Policies--Policy objects--Address Objects


If you have modified the policies you probably already took care of the address objects.  Policies use address objects as the source and destination of what is controled.


I was assuming that your internet policy used the trust network object for the internal network and the any object for the wan.  That way if you change that address object network scope it automatically changes your internet access policy.


This address object may also be the same one used by your ipsec vpn configuration.  That would drop the tunnel when it changes because these have to match on both firewalls for the tunnel to come up.  Therefore you need to change the matching object on the other firewall for the tunnel to re-establish.

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)