ScreenOS Firewalls (NOT SRX)
ScreenOS Firewalls (NOT SRX)

Untrust connectivity ceases after 30 - 45 minutes on SSG-140

05.29.08   |  
‎05-29-2008 01:30 AM

First prize to anyone who can give any advice in this problem.

 

I have a typical Untrust/DMZ/Trust network setup, currently using two Netscreen  50s. Last night, we attempted to replace them with two SSG-140s.

 

Everything went perfectly until about 30 minutes after cutting the SSG-140s in. At that point, all traffic to and from the Untrust zone ceased. There were no alarms, failover events or problems reported on any of our switches or routers.

 

A reboot returned the firewalls to service, but the same problem occured again in a near-identical time span. As a result, we rolled back.

 

Has anyone seen a similar problem to this in the past?

9 REPLIES
ScreenOS Firewalls (NOT SRX)

Re: Untrust connectivity ceases after 30 - 45 minutes on SSG-140

05.29.08   |  
‎05-29-2008 04:35 PM
ScreenOS 6.0R5?
ScreenOS Firewalls (NOT SRX)

Re: Untrust connectivity ceases after 30 - 45 minutes on SSG-140

05.29.08   |  
‎05-29-2008 06:06 PM
Yes - ScreenOS 6.0.0r5.
ScreenOS Firewalls (NOT SRX)

Re: Untrust connectivity ceases after 30 - 45 minutes on SSG-140

[ Edited ]
05.29.08   |  
‎05-29-2008 06:19 PM

i got similar problem with screenOS 5.4.r8 on SSG140. There was a software bug in the networks driver of the SSG140.

The issue was solved with the 5.0.r10.

 

Do you see some dumps files with the get file command ? If yes open a case and try a downgrade with 5.4.r10.

Message Edited by sylvain on 05-29-2008 06:21 PM
ScreenOS Firewalls (NOT SRX)

Re: Untrust connectivity ceases after 30 - 45 minutes on SSG-140

[ Edited ]
05.29.08   |  
‎05-29-2008 06:49 PM

There's a known bug in 6.0R5 with lockups on SSG5/SSG20 though this is the first I've heard on an SSG-140

 

Here's the thread...

 

http://www.juniperforum.com/index.php/topic,6478.0.html

 

Message Edited by alan on 05-29-2008 08:41 PM
ScreenOS Firewalls (NOT SRX)

Re: Untrust connectivity ceases after 30 - 45 minutes on SSG-140

05.29.08   |  
‎05-29-2008 07:41 PM

I just checked, and we have had reports on the SSG-5, SSG-20, and SSG-140.

 

Refer to this posting for the work-around:

http://forums.juniper.net/jnet/board/message?board.id=Firewalls&thread.id=1103

 

Kind regards,

Josine 

Highlighted
ScreenOS Firewalls (NOT SRX)

Re: Untrust connectivity ceases after 30 - 45 minutes on SSG-140

05.29.08   |  
‎05-29-2008 08:28 PM
So what's First Prize? Smiley Happy
ScreenOS Firewalls (NOT SRX)

Re: Untrust connectivity ceases after 30 - 45 minutes on SSG-140

05.31.08   |  
‎05-31-2008 07:11 AM
What are the duplex settings on the interfaces?  Are they auto-auto, 100/full-100/full, or is one side auto, the other side hard-coded?  Try matching the duplex settings on all interface matchings to the switch, and see if the problem disappears.
ScreenOS Firewalls (NOT SRX)

Re: Untrust connectivity ceases after 30 - 45 minutes on SSG-140

06.04.08   |  
‎06-04-2008 11:38 PM

We'd love to use a work-around here, but we can't.


We use the redundant interfaces feature of the SSG-140, and there's no way of altering physical properties for the redundant interface itself or its member interfaces.

 

ScreenOS Firewalls (NOT SRX)

Re: Untrust connectivity ceases after 30 - 45 minutes on SSG-140

06.05.08   |  
‎06-05-2008 07:29 AM

I also cannot hard-code - the interface goes to a metro-ethernet from the ISP.

 

There is fixed code available from JTAC.

 

I cannot believe Juniper doesn't make this readily available as well as publishing this showstopper bug.