Screen OS

I have a 10 user 5gt with 5.4.0r4.0 running on it.  I have been trying to figure out why no one can get out.  When I plug in one workstation (workstation has been restarted and is a Mac) the Active Users table immediately begins to fill up with IP addresses. No switches or AP's plugged into the 4gt, only a single cat5 to the workstation.  Any ideas??  HELP

Hi,

 

Can you post the output from get active-user

 

Also if you do a clear active-user all, does it start to fill up again?

 

Regards

 

Andy

Sorry for the delay,

 

So here is the result of the get active-users command, after running it, the system immediately fills up with bogus IP's, I only have one workstation connected direct at this time and none of these IP's are ping-able and none of these IP's are the IP of the workstations connected.  I can see in the log that it say's the IP of the workstation in question can not be added because there are too many connected hosts.  Very Strange!

 

ns5gt-> get active-user
Total 10/10, Free 0:
  192.168.150.5: 2 incoming sessions    0 outgoing sessions
  192.168.150.12: 6 incoming sessions    0 outgoing sessions
  192.168.150.16: 6 incoming sessions    0 outgoing sessions
  192.168.150.46: 6 incoming sessions    0 outgoing sessions
  192.168.150.47: 1 incoming sessions    0 outgoing sessions
  192.168.150.52: 7 incoming sessions    0 outgoing sessions
  192.168.150.53: 6 incoming sessions    0 outgoing sessions
  192.168.150.65: 6 incoming sessions    0 outgoing sessions
  192.168.150.67: 6 incoming sessions    0 outgoing sessions
  192.168.150.253: 3 incoming sessions    0 outgoing sessions
 

If you do a 'get arp' do you see and of these addresses in the arp table?? Do any of these address appear in your config? For incoming NATs like MIP or anything?

 

Regards

 

Andy

Here is the get arp, not doing any MIP or anything:

 

192.168.150.254  000000000000        trust-vr/trust    PND     0      1       1     0
     24.113.8.1  005057013a1d      trust-vr/untrust    VLD  1195      0       0     1
 192.168.150.45  000000000000        trust-vr/trust    PND     0      1       2     0
 192.168.150.47  000000000000        trust-vr/trust    PND     0      1       1     0
 192.168.150.14  000000000000        trust-vr/trust    PND     0      0       1     0
  192.168.150.5  000000000000        trust-vr/trust    PND     0      0       1     0
 192.168.150.66  000000000000        trust-vr/trust    PND     0      1       2     0
 192.168.150.67  000000000000        trust-vr/trust    PND     0      1       1     0
 192.168.150.68  000000000000        trust-vr/trust    PND     0      0       1     0
 

Try doing a 'clear arp' and see if that does anything.

 

Can you also do a 'get session' and post it here see what sessions are going through the box.

 

Andy

I've tried to clear the apr before with no luck, clearing the session's have had the same results.  The table fills up with different, bogus addresses.  The current "good" address is .100.  Here is the get sessions output:

 

ns5gt-> get session
alloc 3/max 2064, alloc failed 0, mcast alloc 0, di alloc failed 0
total reserved 0, free sessions in shared pool 2061
id 1990/s**,vsys 0,flag 00000040/0000/0001,policy 2,time 180, dip 0 module 0
 if 2(nspflag 0811):192.168.150.1/23->12.10.236.62/62550,6,740000000000,sess token 4,vlan 0,tun 0,vsd 0,route 0
 if 1(nspflag 2e00):192.168.150.1/23<-12.10.236.62/62550,6,000000000000,sess token 7,vlan 0,tun 40000001,vsd 0,route 5
Total 1 sessions shown

 

The 236.62 address is my IP (remotely connected) and the .1 is the juniper.

 

 

Hmmm, never easy is it. This is waht should happen, so if there is no session going through the firewall then the acrive-users should be dropped.

 

When a session is created that includes an IP address on the trust zone, that IP is added to the Active User Table. This IP will remain in the Active User Table as long as there is a session bound to that IP address. When there are no more sessions for that IP address, that IP will be removed from the Active User Table.

 

I have no idea where the IP address are coming from if you have only got one device connected.

 

Try doing a debug on the firewall to see if you recieve packets from those address trying to connect.

 

Clear db

 

debug flow basic 

 

clear active-user all

 

do a get active-user and see if the table has filled up. When it has

 

undebug all

 

get db str (this will output what if has captured. See if you receive any packets from those phantom addresses.

 

Regards

 

Andy

Wow odd problem.

 

1. Are you able to try a different computer connected to the netscreen? Maybe there is some software issue on that PC.
2. Are you running DHCP on the netscreen or not (do a report and see if those other addresses a there)? Maybe try disabling DHCP and setting the PC to static ip.
3. Post your config, are you running DIP or something?

Well I think I have it figured out.  In the end it turned out that a co-worker was running scanning software on that subnet, so whenever a scan was run it filled up the ip table (strange). But once I found it and had him shut down the box started working normal again.   Thanks for all the help and ideas!!