ScreenOS Firewalls (NOT SRX)
ScreenOS Firewalls (NOT SRX)

Juniper SSG Route issue

‎03-26-2017 08:21 PM

Hi, I have a Juniper SSG140 as a internet Gateway device.

 

today some PC can't  open the website which dns is 114.114.114.114(public dns server)

 

when i check the SSG140,I found a connect route with 114.114.114.114, Unbelievable!!!

 

after reboot the SSG140, this route disappear and anything Normal work. 

 

its occur several times.

 

Any information need i provide ?

 

Firmware Version 6.2.0r5.0 (Firewall+VPN) and  Routing table information below

 

---------------------------------------------------------------------------------------------------------------------------

 

 

SSG140-> get route


IPv4 Dest-Routes for <untrust-vr> (0 entries)
--------------------------------------------------------------------------------------
H: Host C: Connected S: Static A: Auto-Exported
I: Imported R: RIP P: Permanent D: Auto-Discovered
N: NHRP
iB: IBGP eB: EBGP O: OSPF E1: OSPF external type 1
E2: OSPF external type 2 trailing B: backup route


IPv4 Dest-Routes for <trust-vr> (97 entries)
--------------------------------------------------------------------------------------
ID IP-Prefix Interface Gateway P Pref Mtr Vsys
--------------------------------------------------------------------------------------
* 18 1.1.1.1/32 tun.12 0.0.0.0 H 0 0 Root
33 9.9.9.9/32 tun.16 0.0.0.0 S 20 1 Root
34 2.3.4.5/32 tun.16 0.0.0.0 S 20 1 Root
* 71 0.0.0.0/0 eth0/0 116.228.60.153 S 20 1 Root
196 11.11.11.11/32 tun.23 0.0.0.0 S 20 1 Root
* 604 3.3.3.3/32 eth0/8 172.16.1.2 S 20 10 Root
* 748 114.114.114.114/32 eth0/0 114.114.114.114 C 0 0

 

5 REPLIES 5
ScreenOS Firewalls (NOT SRX)

Re: Juniper SSG Route issue

‎03-26-2017 09:01 PM

Hi,

 

1: So you sont have this route in your current route table, right?

2: Did you take output of get route id 748 during the issue?

3: Is this IP anywhere in the config  get config | in 114.114.114.

 

Thanks,

Vikas

ScreenOS Firewalls (NOT SRX)

Re: Juniper SSG Route issue

‎03-27-2017 01:43 AM

Thank you for your reply.

 

The connect route with 114.114.114.114 in my current route table again.

 

device bug ??

 

output command 

 

-------------------------------------------------

 

SSG140-> get route


IPv4 Dest-Routes for <untrust-vr> (0 entries)
--------------------------------------------------------------------------------------
H: Host C: Connected S: Static A: Auto-Exported
I: Imported R: RIP P: Permanent D: Auto-Discovered
N: NHRP
iB: IBGP eB: EBGP O: OSPF E1: OSPF external type 1
E2: OSPF external type 2 trailing B: backup route


IPv4 Dest-Routes for <trust-vr> (95 entries)
--------------------------------------------------------------------------------------
ID IP-Prefix Interface Gateway P Pref Mtr Vsys
--------------------------------------------------------------------------------------
* 18 1.1.1.1/32 tun.12 0.0.0.0 H 0 0 Root
33 9.9.9.9/32 tun.16 0.0.0.0 S 20 1 Root
34 2.3.4.5/32 tun.16 0.0.0.0 S 20 1 Root
* 71 0.0.0.0/0 eth0/0 116.228.60.153 S 20 1 Root
196 11.11.11.11/32 tun.23 0.0.0.0 S 20 1 Root
* 604 3.3.3.3/32 eth0/8 172.16.1.2 S 20 10 Root
* 755 114.114.114.114/32 eth0/0 114.114.114.114 C 0 0 Root
52 7.4.3.1/32 tun.40 0.0.0.0 S 20 1 Root
* 17 1.1.1.0/30 tun.12 0.0.0.0 C 0 0 Root
* 25 4.4.2.1/32 eth0/8 0.0.0.0 S 20 1 Root
* 16 12.1.1.1/32 tun.6 0.0.0.0 H 0 0 Root
191 13.1.1.2/32 eth0/5 0.0.0.0 H 0 0 Root
* 668 10.4.4.5/32 eth0/0 10.4.4.5 C 0 0 Root
* 701 192.168.152.0/24 tun.10 0.0.0.0 S 20 1 Root
* 727 10.4.4.27/32 eth0/0 10.4.4.27 C 0 0 Root
* 39 174.168.30.0/30 eth0/0 116.228.60.153 S 20 1 Root
* 718 10.4.4.23/32 eth0/0 10.4.4.23 C 0 0 Root
4 30.0.3.3/32 vlan1 0.0.0.0 H 0 0 Root
* 30 172.20.100.0/24 eth0/8 172.16.1.2 S 20 1 Root
* 2 116.228.60.158/32 eth0/0 0.0.0.0 H 0 0 Root
* 40 10.86.21.123/32 eth0/8 172.16.1.2 S 20 1 Root
* 1 116.228.60.152/29 eth0/0 0.0.0.0 C 0 0 Root
* 60 10.242.57.0/24 tun.22 0.0.0.0 S 20 1 Root
13 192.1.0.0/23 bgroup0/0 0.0.0.0 C 0 0 Root
56 192.168.168.0/24 tun.15 0.0.0.0 S 20 1 Root
19 172.16.3.0/24 tun.20 0.0.0.0 C 0 0 Root
5 172.16.2.0/24 eth0/3 0.0.0.0 C 0 0 Root
* 57 172.23.8.0/24 eth0/0 116.228.60.153 S 20 1 Root
* 608 172.16.201.57/32 null 0.0.0.0 S 20 1 Root


SSG140-> get route id 755
route in trust-vr:
------------------------------------------------
id: 755
IP address/mask: 114.114.114.114/32
next hop (gateway): 114.114.114.114
preference: 0
metric: 0
description:
outgoing interface: ethernet0/0
vsys name/id: Root/0
tag: 0
flag: 24000200/00100000
type: connected
Redistributed to:
status: active (for 5 minutes 30 seconds)


SSG140-> get config | in 114.114.114
set address "Untrust" "114.114.114.114/32" 114.114.114.114 255.255.255.255
set address "Untrust" "H114.114.114.114" 114.114.114.114 255.255.255.255
set user "chenqing" remote dns2 "114.114.114.114"
set user "chenyijun" remote dns2 "114.114.114.114"
set user "dengdelei" remote dns2 "114.114.114.114"
set user "duandongyang" remote dns2 "114.114.114.114"
set user "jiaqi" remote dns2 "114.114.114.114"
set user "lead01" remote dns1 "114.114.114.114"
set user "lead02" remote dns1 "114.114.114.114"
set user "lead04" remote ipaddr "114.114.114.114"
set user "panatest" remote dns2 "114.114.114.114"
set user "tangzhiyong" remote dns2 "114.114.114.114"
set user "user11" remote dns1 "114.114.114.114"
set user "wuminjie" remote dns2 "114.114.114.114"
set user "yinming" remote dns2 "114.114.114.114"
set user "zhangbin" remote dns2 "114.114.114.114"
set user "zhanghui" remote dns1 "114.114.114.114"
set user "zhouxu" remote dns2 "114.114.114.114"
set user "zhuxiaoxin" remote dns2 "114.114.114.114"
set user "zhuyunbo" remote dns2 "114.114.114.114"
set user "zx" remote dns2 "114.114.114.114"
SSG140->

ScreenOS Firewalls (NOT SRX)
Solution
Accepted by topic author catalyst@juniper
‎03-28-2017 03:09 AM

Re: Juniper SSG Route issue

‎03-27-2017 07:43 PM

Hi,

 

1: I dont see any known bug in the release notes.

2: The route is active for for 5 minutes 30 seconds when you printed the output of get route id, can you please check the 'get event' and 'get log sys' for the same time when this route became active. This may indicate any trigger.

3: Can you configure route-deny on the eth0/0 to see if this helps. set int eth0/0 route-deny

 

Thanks,

Vikas

ScreenOS Firewalls (NOT SRX)

Re: Juniper SSG Route issue

‎03-28-2017 03:02 AM

Hi,

 

I found the problem 

 

There is a L2TP User assigned ip-pool and static ip at the same time(The static ip is 114.114.114.114),  hhh...

 

so i guess this user using static ip prefer if L2TP tunnel up,right ?

 

Thanks very much!

ScreenOS Firewalls (NOT SRX)

Re: Juniper SSG Route issue

‎03-28-2017 07:04 AM

Yes, this could be the potential root cause of the issue. Probably L2TP would be terminating on the Eth0/0 and 114.114.114.114 is totally different IP than defined so firewall would be leaning as connected route.  It should be reproducible you can check with the user and can verify by reproducing.

 

Thanks,

Vikas