ScreenOS Firewalls (NOT SRX)
ScreenOS Firewalls (NOT SRX)

unable to ping/ssh slave ssg firewall through vpn

[ Edited ]
‎09-10-2018 07:29 AM

Hi All,

I have Netscreen 140 active-slave setup, I am able to ping both firewall management ip addresses from each other and the internal Switches and other devices.

We have a site to site VPN with other vendor, from where they are unable to ping/ssh/anything to the slave firewall. When they access any of our internal devices, then from there everything is working fine.

After a troubleshooting I found that, when they try to access the slave device, i turned on the debug and analysed get db stream and get event. This shown that there is an ip spoof log generated for each connection request.

When remote pc starts a ping, ssg will record the ip as 171.7x.13x.30.

 

routes:-

---------

set route 171.7x.13x.0/24 gateway 172.23.25.10
set route 171.7x.13x.128/25 interface tunnel.3
set route 171.7x.13x.0/24 interface tunnel.3 preference 5 description "newtun"

 

Could some one assist me how to fix this.

Attached is the part of the debug and get event logs..

 

regards

Rajesh

Attachments

5 REPLIES 5
ScreenOS Firewalls (NOT SRX)

Re: unable to ping/ssh slave ssg firewall through vpn

‎09-10-2018 03:58 PM

I don't think I understand the network topology.  But the problem appears to be asymmetrical routing.

****** 20950878.0: <Trust/redundant1> packet received [60]******
  ipid = 6675(1a13), @1d6f7114
  packet passed sanity check.
  flow_decap_vector IPv4 process
  redundant1:171.7x.13x.30/5331->172.23.25.11/1,1(8/0)<Root>
  no session found
  flow_first_sanity_check: in <redundant1>, out <N/A>
  [ Dest] 10684.route 171.7x.13x.30->0.0.0.0, to tunnel.3
  packet dropped, drop by spoofing check.

This shows the packet arriving on redundant1 interface, but the route for the ip address points to the tunnel.3 interface.

 

So the SSG assumes the route is correct and therefore the ip address is a spoof and not from the real source.

 

You will need to eliminate the asymmetrical routing and have the return path the same as the ingress to no longer hit that filter.

 

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
ScreenOS Firewalls (NOT SRX)

Re: unable to ping/ssh slave ssg firewall through vpn

‎09-11-2018 06:26 AM

Thank you So Much for you reply.

Here is the configuration and setup.!!


set interface "tunnel.3" zone "Trust"
set interface tunnel.3 ip 13x.14x.3x.1/24
set vpn "AOX-MSX-ISG" id 0x11 bind interface tunnel.3
unset interface tunnel.3 acvpn-dynamic-routing
set route 17x.7x.13x.12x/25 interface tunnel.3
set route 17x.7x.13x.0/24 interface tunnel.3 preference 5 description "route"

ScreenOS Firewalls (NOT SRX)

Re: unable to ping/ssh slave ssg firewall through vpn

‎09-11-2018 11:17 PM

Rajesh,

 

VPN traffic will be processed o nthe Master first and then the cleartext will hit the backup. For a better understanding of what is going on, collect the debugs simultaneously on both Firewalls.

Most likely - the master in injectign he pak afte route lookup into the Trust network- as expected.

 

NAT-ing this traffic on the master and/or enabling 'mac-cache mgt' will get this working.

Regards,
Gokul
ScreenOS Firewalls (NOT SRX)

Re: unable to ping/ssh slave ssg firewall through vpn

‎09-12-2018 02:54 AM

As Gokul mentions a nat rule may take care of the asymmetrical routing but to be sure exactly what is happening and why a diagram would be helpful. 

 

Clearly from the spoof report your traffic is coming in one interface while the route on the device is pointing to a different one.  So that is the issue that needs to be resolved.

 

We can change the return route to match the ingress.

Change the forwarding route on the previous device so that it comes in on the expected interface.

Or source nat the traffic on the previous device so that the return address matches a route pointing to the ingress interface.

 

Any of these actions will clear the spoofing report.

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
ScreenOS Firewalls (NOT SRX)

Re: unable to ping/ssh slave ssg firewall through vpn

‎09-12-2018 03:02 AM

This article should give you a fair idea about mac-cache function - the setup is pretty similar to what you are trying to achieve:

 

https://kb.juniper.net/InfoCenter/index?page=content&id=KB17664&actp=METADATA

 

Combination of NAT and Mac-cache will yield the expected results.

Regards,
Gokul