Screen OS

I have a strange problem with a SSG140 in production use.

The netscreen keeps working as expected, tunnels, routing, policies all work.

But suddenly I can't login to the webUI or the CLI (telnet, SSH).

I have the webui on port 8080, and the browser keeps connecting but the login screen doesn't show.

Same goes for the SSH or telnet screen, they connect and cursor keeps blinking but no login screen shows.

I can get in through the console cable. If I check the interface, manage-ip is correct and webui, telnet, ssh are enabled.

I'm in the same subnet as the trust interface so no routing issues.

Seems the UI somehow crashed.

This has happened once before, and then we restarted the device and all was working again.

Any known bug? Any idea how to solve this without restarting (is in production use)?

Some information:

ScreenOS version: 6.2.0r11.0

Date 06/04/2012 11:31:27, Daylight Saving Time enabled
The Network Time Protocol is Enabled
Up 740 hours 1 minutes 58 seconds Since 04May2012:15:29:29
Total Device Resets: 0

System in NAT/route mode.

Use interface IP, Config Port: 8080
Manager IP enforced: False
Manager IPs: 0

Address                                  Mask                                     Vsys
---------------------------------------- ---------------------------------------- --------------------
User Name: netscreen

...

Interface ethernet0/1
  description ethernet0/1
  number 5, if_info 4040, if_index 0, mode nat
  link up, phy-link up/full-duplex
  status change:1, last change:05/04/2012 15:29:45
  vsys Root, zone Trust, vr trust-vr
  dhcp client disabled
  PPPoE disabled
  admin mtu 0, operating mtu 1500, default mtu 1500
  *ip 10.*.*.254/16   mac **************
  *manage ip 10.*.*.254, *****************
  secondary subnet: 10.*.*.254/24
  route-deny disable
  bandwidth: physical 100000kbps, configured egress [gbw 100000kbps mbw 100000kbps]
             configured ingress mbw 100000kbps, current bw 2081kbps
             total allocated gbw 0kbps

Do you have syslog enabled on your firewall.

if yes , then is the protocol selected as TCP ?

If Yes, try changing it to UDP.

Also please login via console and in the following output see if sockets are getting full and not getting cleared :

get socket

Syslog is enabled, how do i disable this cia CLI?

get conf | inc syslog
set syslog config "10.x.x.x"
set syslog config "10.x.x.x" facilities local0 local0
set syslog config "10.x.x.x" log traffic
unset syslog config "10.x.x.x" log event
set syslog enable

Sockets:
get socket
 Socket  Type   State      Remote IP         Port    Local IP         Port
      0  tcp     close      46.137.185.205   49296    81.x.x.x     2022
      1  tcp4/6  listen     ::                   0    ::               4443
      2  tcp4/6  listen     ::                   0    ::                 23
      4  tcp4/6  listen     ::                   0    ::               2022
     55  tcp     open       195.238.5.128       25    81.x.x.x    62262
     56  tcp     close      91.226.164.53    64860    77.x.x.x.     8080
     68  tcp     close      10.x.x.x         1471    10.x.x.x         23
    112  tcp     open       192.168.x.x   51972    10.x.x.254         23
    114  tcp     close      10.x.x.x         1440    10.x.x.254       2022
    118  tcp4/6  listen     ::                   0    ::               8080
    124  tcp     open       10.x.x.x         3802    10.x.x.254       8080
    256  udp     open       0.0.0.0              0    0.0.0.0             0
    257  udp     open       0.0.0.0              0    0.0.0.0             0
    258  udp     open       0.0.0.0              0    0.0.0.0             0
    259  udp4/6  open       ::                   0    ::                500
    260  udp4/6  open       ::                   0    ::               4500
    261  udp4/6  open       ::                   0    ::                500
    262  udp4/6  open       ::                   0    ::               4500
    263  udp4/6  open       ::                   0    ::                123
    264  udp     open       0.0.0.0              0    0.0.0.0           161
    266  udp     open       0.0.0.0              0    0.0.0.0             0
    267  udp     open       0.0.0.0              0    0.0.0.0             0
    269  udp     open       0.0.0.0              0    0.0.0.0             0

Raw IP sockets:
 Socket  Type   Remote IP         Local IP         Protocol
    512  raw     0.0.0.0           0.0.0.0          01h
    514  raw     0.0.0.0           0.0.0.0          01h

Raw packet sockets:
 Socket  Type   Remote Mac    Local Mac    Protocol
    513  eth     000000000000  000000000000 0806h

It seems sockets stay open.

Can i somehow force this closed?

I see from the syslog config that you have not enabled TCP as transsport protocol, so that is fine.

Have you taken this socket output at the time of issue ?

You can clear the sockets by the following command :

clear socket id <>

Yes the socket list is current and the problem is still present.

If i try to clear socket id 0 the command is accepted but the socket remains in the list.

Same for 56,68,114

If I change the SSH port to a different value, the socket remains the same with the old port number.

clearing socket ID 55 (SMTP VIP) was the solution.

Very strange.

Thanks for pointing me in the right direction.

edit: We have also disabled SNMP for now, since that was put in use recently.

SNMP still disabled, but has happend 2 more times since.

Could this be a firmware bug?

Will try to update the firmware when possible.

Hi,

Can you still ping the firewall when you can't log in?

Anything in the alarm event log when you log in with the console? get alarm event or get event that give you and indication what is happening?

Did this issue ever get resolved?  This exact issue has shown up on most of my firewalls since 11/5.

The firmware is still 6.2.0r11, the issue went away. I do remeber checking and changing the SMTP VIP and policy.

Sorry I can't be of more help.

I may have found the issue.  We set up a Fluke sniffer on our network but did not set up the community strings on the firewalls. It may be a SNMP issue. We are running older firmware. 6.1.0.r6. This issue has not shown up on any of our older NS-25, NS-50s. One SSG-140 has not had an issue. It is running firmware 6.2.0r5.  I shutdown the Fluke this morning and I'm in the process of resetting several firewalls. I'll know in about a week if this was the problem. We are going to upgrade all of the Firewalls to 6.3.0r12 over the Holidays. Thanks for your help!