Screen OS

last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.

  • 1.  ssg debug explanation

    Posted 06-18-2018 05:00
      |   view attached

    Hi,
    I am able to ping to this destination over VPN and VPN is configured in my SSG firewall.
    I would like to know the debug analysis like after the packet goes to eth3/3 i do not see the message which says reply has come on the same interface and goes out. Could some one give me debug analysis.
    This would be one time explanation which can be used for furture reference.

    Thank you.

    source > 171.74.126.8 >
    destination > 146.147.28.46 (Nat IP 10.154.8.125)

    I ran the below debug to understand the packet flow in netscreen.


    set console dbuf
    set db size 4096
    get ffilter
    set ffilter dst-ip 146.147.28.46
    clear dbuf
    debug flow basic

    SSG550(M)-> get ffilter
    Flow filter based on:
    id:0 dst ip 146.147.28.46
    id:1 src ip 146.147.28.46


    This is the simple setup we have.
    servers----------inside------|-------outside--------
    --------------------eth3/3-<FW>-eth3/0--------------
    ---10.0.4.1------10.0.4.7----|-----132.190.53.10----

     

    I always get the below log, not seeing the packet coming from kind of... 🙂

    packet send out to 001b17000111 through ethernet3/3

     

    regards

    Rajesh

    Attachment(s)

    txt
    supportforums_debug.txt   11 KB 1 version


  • 2.  RE: ssg debug explanation

     
    Posted 06-18-2018 06:05

    Hello,

     

    Try adding the filter for source IP 10.154.8.125 as well.
    This should show you reply packet as well coming on eth3/3 and going to the tunnel interface.

     

    Regards,

     

    Rushi



  • 3.  RE: ssg debug explanation

    Posted 06-18-2018 08:16
      |   view attached

    Thank you. Now i do see some clear details...

    so, what is the practice of making the filter ?

    always with destination as nat ip and source as private ip ?

    Any useful area in the debugs to be noted during such connectivity cases from the attached txt ?

    Or, would you like to mention anything within the txt file ? 🙂

    Thank you.

    Attachment(s)

    txt
    supportforums_debug1.txt   15 KB 1 version


  • 4.  RE: ssg debug explanation

    Posted 06-18-2018 08:18

    src : 171.74.126.8
    dst : 146.147.28.46 (nat ip) / 10.154.8.125 (pvt ip)
    fw inside lan's g/w : 10.0.4.1
    remote gw : 198.142.2.4
    fw eth 3/0 : 132.190.53.10



  • 5.  RE: ssg debug explanation
    Best Answer

     
    Posted 06-19-2018 00:31

    Hello,

     

    In cases of NAT, we can use 4 filters.

     

    Source + NATed IP as destination

    Source + Real IP as destination

    and opposite context of above two filters.

     

    Below link gives nice explanation for the same.

     

    https://www.safaribooksonline.com/library/view/screenos-cookbook/9780596510039/ch01s03.html

     

    Regards,

     

    Rushi