ScreenOS Firewalls (NOT SRX)
ScreenOS Firewalls (NOT SRX)

Routing in SSG320

06.11.08   |  
‎06-11-2008 02:07 AM

Hi all,

I need some help with a routing issue in our new SSG320 (6.0.0.r5.0) all interface is in route mode. My setup is as follow, I have a setup with multiple wan links comming in i 2 routers in the same zone as the ssg trust interface, if a server in the trust zone have the ssg as default GW then a client behide one of the wan link is unable to create a session to the server (ping, traceroute etc works fine) if I change the default route in that server to one of the other routers everything works fine. I have  specified all my networks in the ssg (adresses) I have added the routes to the ssg with the correct gateway, dosnt matter as far as I can see, the strange thing is that with our old firewall (netscreen 204 v5.2.0r1.0) this setup worked fine. Anybody has any ide?

 

Best regards

 

Lennart Johansson 

8 REPLIES
ScreenOS Firewalls (NOT SRX)

Re: Routing in SSG320

06.11.08   |  
‎06-11-2008 02:30 AM

Hi Lelle,

If I understand correctly the traffic is within the Trust zone? Have you checked if perhaps you have intra-zone blocking turned on?

A quick way to see what is happening to the traffic when it reaches the firewall is to do a "debug flow basic" with filters if necessary (set ffilter).

 

Hope this helps,

Nadia

ScreenOS Firewalls (NOT SRX)

Re: Routing in SSG320

06.11.08   |  
‎06-11-2008 04:03 AM

block intra zone trafic is not enabled on the interface nor in the zone. debug tcp basic gives

****** 2561915.0: <Trust/ethernet0/0> packet received [1456]******
  ipid = 55979(daab), @0504ab74
  packet passed sanity check.
  ethernet0/0:10.1.245.71/2447->192.121.194.70/80,6<Root>
  existing session found. sess token 4
  flow got session.
  flow session id 47493
  tcp seq check.
  post addr xlation: 77.72.100.158->192.121.194.70.
 flow_send_vector_, vid = 0, is_layer2_if=0
****** 2561915.0: <Trust/ethernet0/0> packet received [532]******
  ipid = 55980(daac), @05033b74
  packet passed sanity check.
flow got session.
  flow session id 48013
  tcp seq check.
  post addr xlation: 213.153.117.10->10.1.245.37.
 flow_send_vector_, vid = 0, is_layer2_if=0
****** 2561915.0: <Untrust/ethernet0/2> packet received [1500]******
  ipid = 58100(e2f4), @048dc374
  packet passed sanity check.
  ethernet0/2:194.14.33.50/80->77.72.100.158/23210,6<Root>
  existing session found. sess token 6
  flow got session.
  flow session id 46650
  tcp seq check.
  post addr xlation: 194.14.33.50->10.1.244.25.
****** 2561915.0: <Untrust/ethernet0/2> packet received [1209]******
  ipid = 58101(e2f5), @048dfb74
  packet passed sanity check.
  ethernet0/2:194.14.33.50/80->77.72.100.158/23210,6<Root>
  existing session found. sess token 6
  flow got session.
  flow session id 46650
  tcp seq check.
151.197.227->10.255.254.10.
 flow_send_vector_, vid = 0, is_layer2_if=0
****** 2561916.0: <Trust/ethernet0/0> packet received [40]******
  ipid = 17369(43d9), @0497eb74
  packet passed sanity check.
  ethernet0/0:10.255.254.10/2739->194.151.197.227/80,6<Root>
  existing session found. sess token 4
  flow got session.
  flow session id 46553
  tcp seq check.
  post addr xlation: 77.72.100.158->194.151.197.227.
 flow_send_vector_, vid = 0, is_layer2_if=0
****** 2561916.0: <Trust/ethernet0/0> packet received [40]******
  ipid = 17378(43e2), @0496cb74
  packet passed sanity check.
  ethernet0/0:10.255.254.10/2739->194.151.197.227/80,6<Root>
  existing session found. sess token 4
  flow got session.
  flow session id 46553
  tcp seq check.
  post addr xlation: 77.72.100.158->194.151.197.227.
 flow_send_vector_, vid = 0, is_layer2_if=0
s_layer2_if=0
****** 2561918.0: <Untrust/ethernet0/2> packet received [1420]******
  ipid = 13168(3370), @04bbe374
  packet passed sanity check.
  ethernet0/2:213.153.117.10/80->77.72.100.158/21291,6<Root>
  existing session found. sess token 6
  flow got session.
  flow session id 46220
  tcp seq check.
  post addr xlation: 213.153.117.10->10.1.245.37.
 flow_send_vector_, vid = 0, is_layer2_if=0
****** 2561918.0: <Trust/ethernet0/0> packet received [40]******
  ipid = 45992(b3a8), @04bc9b74
  packet passed sanity check.
  ethernet0/0:10.1.245.37/2548->213.153.117.10/80,6<Root>
  existing session found. sess token 4
  flow got session.
  flow session id 46220
  tcp seq check.
  post addr xlation: 77.72.100.158->213.153.117.10.
 flow_send_vector_, vid = 0, is_layer2_if=0
****** 2561918.0: <Trust/ethernet0/0> packet received [40]******
227->10.255.254.10.
 flow_send_vector_, vid = 0, is_layer2_if=0
****** 2561919.0: <Untrust/ethernet0/2> packet received [1492]******
  ipid = 31471(7aef), @04c77374
  packet passed sanity check.
  ethernet0/2:194.151.197.227/80->77.72.100.158/23733,6<Root>
  existing session found. sess token 6
  flow got session.
  flow session id 46553
  tcp seq check.
  post addr xlation: 194.151.197.227->10.255.254.10.
 flow_send_vector_, vid = 0, is_layer2_if=0
****** 2561919.0: <Untrust/ethernet0/2> packet received [68]******
  ipid = 28049(6d91), @04c8a374
  packet passed sanity check.
  ethernet0/2:65.54.228.51/1863->77.72.100.158/21331,6<Root>
  existing session found. sess token 6
  flow got session.
  flow session id 47683
  av/uf/voip checking.
  asp vector processing state: 2
ASP inject packet from ethernet0/0
255.254.10/2739->194.151.197.227/80,6<Root>
  existing session found. sess token 4
  flow got session.
  flow session id 46553
  tcp seq check.
  post addr xlation: 77.72.100.158->194.151.197.227.
 flow_send_vector_, vid = 0, is_layer2_if=0
****** 2561920.0: <Trust/ethernet0/0> packet received [48]******
  ipid = 4372(1114), @04d8d374
  packet passed sanity check.
  ethernet0/0:10.1.5.20/1904->192.168.16.101/1352,6<Root>
  no session found
  flow_first_sanity_check: in <ethernet0/0>, out <N/A>
  chose interface ethernet0/0 as incoming nat if.
  flow_first_routing: in <ethernet0/0>, out <N/A>
  search route to (ethernet0/0, 10.1.5.20->192.168.16.101) in vr trust-vr for vsd-0/flag-0/ifp-null
  [ Dest] 44.route 192.168.16.101->10.1.5.4, to ethernet0/0
  routed (x_dst_ip 192.168.16.101) from ethernet0/0 (ethernet0/0 in 0) to ethernet0/0
  policy search from zone 2-> zone 2
 policy_flow_search  policy search nat_crt from zone 2-> zone 2
  RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 192.168.16.101, port 1352, proto 6)
  No SW RPC rule match, search HW rule
ion found. sess token 4
  flow got session.
  flow session id 46553
  tcp seq check.
  post addr xlation: 77.72.100.158->194.151.197.227.
 flow_send_vector_, vid = 0, is_layer2_if=0
****** 2561921.0: <Trust/ethernet0/0> packet received [40]******
  ipid = 20074(4e6a), @04f3b374
  packet passed sanity check.
  ethernet0/0:10.255.254.10/2739->194.151.197.227/80,6<Root>
  existing session found. sess token 4
  flow got session.
  flow session id 46553
  tcp seq check.
  post addr xlation: 77.72.100.158->194.151.197.227.
 flow_send_vector_, vid = 0, is_layer2_if=0
****** 2561921.0: <Trust/ethernet0/0> packet received [40]******
  ipid = 20075(4e6b), @04f52374
  packet passed sanity check.
  ethernet0/0:10.255.254.10/2739->194.151.197.227/80,6<Root>
  existing session found. sess token 4
  flow got session.
fw01-> get dbuf stream ?
>                    redirect output
|                    match output
<return>
all                  from all slots
<number>             percentage offset of debug buffer(0-99)
fw01-> get dbuf stream |10.1.5.107
                       ^-------------invalid number |10.1.5.107
fw01-> get dbuf stream | ?
exclude              exclude pattern
include              include pattern
fw01-> get dbuf stream | in
include              include pattern
fw01-> get dbuf stream | include ?
<string>             regular expression
fw01-> get dbuf stream | include 10.1.5.107
fw01-> get dbuf stream | include 10.1.5.107
  ethernet0/0:10.1.5.107/1024->10.3.1.163/18432,1(0/0)<Root>
  search route to (ethernet0/0, 10.1.5.107->10.3.1.163) in vr trust-vr for vsd-0/flag-0/ifp-null
  search route to (ethernet0/0, 10.3.1.163->10.1.5.107) in vr trust-vr for vsd-0/flag-3000/ifp-ethernet0/0
  [ Dest] 32.route 10.1.5.107->10.1.5.107, to ethernet0/0
  route to 10.1.5.107
  arp entry found for 10.1.5.107
  post addr xlation: 10.1.5.107->10.3.1.163.
fw01-> get dbuf stream | include 10.1.5.107
fw01-> get dbuf stream | include 10.1.5.107
fw01-> get dbuf stream | include 10.1.5.107
fw01-> get dbuf stream | include 10.1.5.107
fw01-> get dbuf stream | include 10.1.5.107
fw01-> get dbuf stream | include 10.1.5.107
fw01-> get dbuf stream | include 10.1.5.107
  ethernet0/0:10.1.5.107/3815->10.12.1.25/80,6, 5004(rst)<Root>
fw01-> get dbuf stream | include 10.1.5.107
fw01-> get dbuf stream | include 10.1.5.107
fw01-> get dbuf stream | include 10.1.5.107
fw01-> get dbuf stream | include 10.1.5.107
fw01-> get dbuf stream | include 10.1.5.107
fw01-> get dbuf stream | include 10.1.5.107
fw01-> get dbuf stream | include 10.1.5.107
fw01-> get dbuf stream | include 10.1.5.107
fw01-> get dbuf stream | include 10.1.5.107
fw01-> get dbuf stream | include 10.1.5.107
fw01-> get dbuf stream | include 10.1.5.107
fw01-> get dbuf stream | include 10.1.5.107
fw01-> get dbuf stream | include 10.1.5.107
  ethernet0/0:10.1.5.107/3389->10.3.1.163/1998,6<Root>
**** jump to packet:10.3.1.163->10.1.5.107
  flow_ip_send: 5f76:10.3.1.163->10.1.5.107,6 => ethernet0/0(40) flag 0x0, vlan 0
  search route to (null, 0.0.0.0->10.1.5.107) in vr trust-vr for vsd-0/flag-2000/ifp-ethernet0/0
  [ Dest] 32.route 10.1.5.107->10.1.5.107, to ethernet0/0
  route to 10.1.5.107
  arp entry found for 10.1.5.107 mac 0019bb253ca5
fw01-> get dbuf stream | include 10.1.5.107
fw01->
fw01-> get dbuf stream | include 10.1.5.107
  ethernet0/0:10.1.5.107/3835->10.22.1.25/80,6, 5004(rst)<Root>
fw01-> get dbuf stream | include 10.1.5.107
fw01->
fw01-> get dbuf stream | include 10.1.5.107
fw01-> get dbuf stream | include 10.1.5.107
fw01-> get dbuf stream | include 10.1.5.107
  ethernet0/0:10.1.5.107/3389->10.3.1.163/1999,6<Root>
**** jump to packet:10.3.1.163->10.1.5.107
  flow_ip_send: 5b55:10.3.1.163->10.1.5.107,6 => ethernet0/0(40) flag 0x0, vlan 0
  search route to (null, 0.0.0.0->10.1.5.107) in vr trust-vr for vsd-0/flag-2000/ifp-ethernet0/0
  [ Dest] 32.route 10.1.5.107->10.1.5.107, to ethernet0/0
  route to 10.1.5.107
  arp entry found for 10.1.5.107 mac 0019bb253ca5
fw01-> get dbuf stream | include 10.1.5.107
fw01->

 

Where the client has 10.3.1.163 and the server got 10.1.5.107 and I'm trying to use rdp (tcp 3389) 

Any suggestions?

Best regards

 

Lelle 

ScreenOS Firewalls (NOT SRX)

Re: Routing in SSG320

06.11.08   |  
‎06-11-2008 04:22 AM

Sorry for my last post, didnt notice how much I pasted in. but here is som debug output

Now I'm trying to to rdp to 10.1.5.107 and this is what is getting caught i my filter

 

**** jump to packet:10.3.1.163->10.1.5.107
  skipping pre-frag
  no more encapping needed
  send out through normal path.
  flow_ip_send: d941:10.3.1.163->10.1.5.107,6 => ethernet0/0(40) flag 0x0, vlan 0
  no l2info for packet.
  no route for packet
  search route to (null, 0.0.0.0->10.1.5.107) in vr trust-vr for vsd-0/flag-2000/ifp-ethernet0/0
  [ Dest] 32.route 10.1.5.107->10.1.5.107, to ethernet0/0
  route to 10.1.5.107
  arp entry found for 10.1.5.107 mac 0019bb253ca5
  **** pak processing end.
  packet dropped, first pak not sync
 ******************************END DEBUG**************

 

I have disabled " If TCP non SYN, send RESET back" in the trust zone didnt help

 

Best regards

 

Lelle 

ScreenOS Firewalls (NOT SRX)

Re: Routing in SSG320

06.11.08   |  
‎06-11-2008 04:50 AM

Hi,

 

can u clear ur topology more to me????

Kashif Rana
JNCIE-SEC, JNCIE-ENT, JNCIE-SP, JNCIS(FWV,SSL),JNCIA(IDP,AC,WX),BIG IP-F5-LTM, CCNP
----------------------------------------------------------------------------------------------------------------------------------------

If this post was helpful, please mark this post as an "Accepted Solution".Kudos are always appreciated!
ScreenOS Firewalls (NOT SRX)
Solution
Accepted by topic author Lelle
‎08-26-2015 01:27 AM

Re: Routing in SSG320

06.11.08   |  
‎06-11-2008 04:55 AM

Looking at your last debug, the message "packet dropped, first pak not sync" refers to the fact that the first packet received for this tcp session is not a SYN packet so it is getting dropped.

Do you have the following command in your configuration? "set flow tcp-syn-check"?

 

Thanks,

Nadia

ScreenOS Firewalls (NOT SRX)

Re: Routing in SSG320

[ Edited ]
06.11.08   |  
‎06-11-2008 12:46 PM

That did the trick, thanks a lot for your time, help and effort

 

Best regards

(from a much happier)

 

Lennart Johansson

Message Edited by Lelle on 06-11-2008 12:48 PM
ScreenOS Firewalls (NOT SRX)

Re: Routing in SSG320

08.13.08   |  
‎08-13-2008 07:20 AM

Hi Nadia, 

 

Is there another way to solve this problem besides unset flow tcp-syn-check? How to explain to user regarding this problem?

 

Software issue? 

 

Thks

 

Regards,

 

Steven Hoo

ScreenOS Firewalls (NOT SRX)

Re: Routing in SSG320

03.08.09   |  
‎03-08-2009 08:24 AM

I want to know why the first packet received for this tcp session is not a SYN packet ?

 

could anybody explain it ?

 

thanks!