Hello,

I use a ssg5 with the firmware 6.3.0R23.

It is not possible to connect to my DDNS Service with HTTPS

I get the error message

DDNS: connect error

socket creation failed

The root and intermediate certificates are imported.

The connect with HTTP works.

Regards...

Hi Experts,

I have some problems setting up my SSG140 to do as I want it to do. Would appreciate if someone can contribute some knowledge and expertise.

Current setup:

Server_A - Interface1 192.168.240.1/29

-----------------------

SSG140

-----------------------

Multiple VPN clients linked to Server_A

-----------------------

Sub1 10.10.1.0/24 tunnel1

Sub2 10.10.2.0/24 tunnel1

Sub3 10.10.3.0/24 tunnel1

Sub4 10.10.4.0/24 tunnel1

Sub5 10.10.5.0/24 tunnel1

...

SubX 10.x.x.0/24

Objective:

Open transparent network between subnets. I.e. communication between 10.10.1.0/24 and 10.10.4.0/24.

Preferred is a configuration that allows any traffic between same tunnel but if individual configuration is needed then that is also fine.

If anything is unclear please let me know and I'll try to clarify (not an expert on this). 

Thanks!

Greetings to all the experts.

I am a self-taught and I am not much netscreen expert.

I have one isp router (A), one SSG140 and one other provider router (B)

I should assign 1 Public IP to router (B) directly connected to interface X of my SSG.
Traffic to and from this public IP is going through the provider router (A) connected to interface Y of the SSG.
These are the steps :
isp router (A) > interface Y ssg (n public ip) > interface X ssg > router (B one public ip)
The router B must manage a vpn (for this must have a public ip): I can not use the ssg nat functions.

The solution proposed by the provider of router B requires the use of a switch before of SSG140:
traffic to the public ip assign to router B would be managed directly without going through the SSG.
I do not like this solution and I'd like to handle it with the SSG interfaces but I have no idea on how to make.

Sorry for my bad English (I used the google translator ...)

thank you

Hi;

I have a SSG 140 appliance, and I install a wild card ssl cert (.cer) file to my SSG 140.  

1. How can I make it as default ssl cert, whenever I enter https://myfirewall.company.com domain, and I see my cert in CA group, not in LOCAL group, based on my research, my cert should be in LOCAL group, only those root cert, or intermediate cert will be loaded to CA group.

2. using this cert as my SSL VPN cert.

I can see my certificate load to appliance but when I enterhttps://myfirewall.company.com, I found that it is using self sign cert only.

Also, I have a site to site vpn, if I make my wild card ssl cert active, would it break my Site to site link>

Please help to solve this issue?

Hello;

Instead of using LDAP, can I use RADIUS setting on Juniper SSG140 to authenticate my SSLVPN user to Active Directory which is Windows 2012R2.  Can anyone direct me to the right place to find the answer?

1. I want to setup a SSLVPN for remote user who can access to my local resource via Windows AD authentication.

thanks!

Can anyone point me to the process either via cli or from the gui (not NSM) to generate a CSR for an SSG/ScreenOS firewall to use a SHA-256 algorithm?

Thanks

Dears,

i would appreciate your help with my case:

i have a remote public IP for call manager, i need to grant the PCs on my LAN PCs to access it, so i have added a route and policy to allow the access to that IP, once i configured it on one of the LAN PCs softphone, it got connected for a while then it start to flap between connected and disconnected, ALG SIP is enabled on my firewall (ssg350) , the Public IP is reachable without any issue, i've been informed that the RTP traffic is not reaching the call manager in the remote site, while im allowing ANY ports to towards that IP.

could you please share your experience with me so i can troubleshoot the problem.

thanks in advance

Hello everyone,

i've a customer who have 2 pair of isg1000 in cluster acting as front and backend for a very big company.

This summer i got a problem on the backend and 20days ago i got the exact same problem on the front end and i don't know how to prevent it to happen again because disservice for this customer is really bad.

btw here's the problem:

-we depart in a condition in witch the firewall are normally operating

-suddenly the number of session increase a lot (from 30% of max to 90-100% max capacity)

-traffic remain the same

-studing the logs i found that timeout on primary node for every session is 14x the normal timeout. So primary node is using backup timeout

-firewall is ignoring TCP-Fin

in this condition the sessions do not close so at a point traffic slow down until it stops because the firewall can not provide new sessions.

Jtac already got every log i can provide: log,tech support, dump ect

BUT they can not discriminate if it is an hardware or software problem without see the problem in live, but obviusly i can not reproduce disservice intentionally.

have you ever got this problems? someone have any ideas?

thx a lot

Andrea

ps firewall are ISG1000 with 6.3r21

I would like to know where can I find the system logging severity level for each trap message on ScreenOS.

Following hyperlink describes trap types for ScreenOS. https://kb.juniper.net/InfoCenter/index?page=content&id=KB7990&actp=search

But I am not clear which one is critical , Alert, or Emergency. I just know SNMP will only alert on Critical, Alert, and Emergency level messages.

For JunOS, I can find them from http://www.juniper.net/techpubs/en_US/junos11.4/topics/reference/general/juniper-specific-snmp-v2-traps-junos-nm.html

From above link I know jnxPowerSupplyFailure is Alert and jnxFanFailure is Critical.

For ScreenOS, Where can I find the above message?

Thanks advance!

Hello All,

I was checking if there is a possibility to enable of automated reporting for JTAC in case of any crucial events occure in the appliance and seems like there is no such possibility.

Can you point me to a direction where I can obtian any piece of knowledge if such thing is possible and how to configure it?

Thanks in advance.

Hello,

I have had a couple of SSG140's running 6.2.0r8.0 for a couple of years in a simple configuration, however I need to change this. I am not a CLI guru at all and manage to do everything I need to via the WebGUI, so help using this method would be preferable if at all possible, thank you. Any help from experts would be appreciated. I am sure that what I want to accomplish is not that difficult, however I have not managed to do it successfully myself. The example of what I want to do follows, with changed IP Addresses. This is working from a completely factory reset SSG140 to make it easier.

Our data center provider has installed a router and it has 2 interfaces. Interface 1 is for general internet access, setting this up is simple and it works fine. Interface 2 is for accessing servers at their data center, this is what I am battling with.

ethernet0/0 - trust - 192.168.100.0/24
ethernet0/2 - untrust - 150.250.120.170/29

The above works for internet access with the additional minimal configuration that was required.

I have been told by the data centre IT to connect the second cable, from their router interface 2 to a spare port on the SSG, which I have done to ethernet0/4.

Their brief instructions:

- To access the internet (this I have done, except for the VLAN 200 part which I am not sure if I have to do or not?)
- Set up SSG ethernet0/2 as a routed port with 150.250.120.170/29 (VIP)
- Use VLAN number 200
- Default route to 150.250.120.169

- To access the data center (this I am battling with?)
- Set up SSG ethernet0/4 as an internal VLAN access port
- Ethernet0/0 and ethernet0/4 to be in the same VLAN (Trust) segment
- Use VLAN number 100
- VLAN interface 192.168.100.x (x = an unused IP address)
- Add static route to data center 10.200.100.0/26
- Routing to data center next hop from SSG 10.200.100.0/26 gateway 192.168.100.21

Thanks,
Paul

1) no problem : console cabel , putty, keyboard

   because, i used it. another product. for example, ssg5 etc

2) i pushed reset buttion very long time. but, still same

3) any other key doesn't input in putty

what can i do ?

I have two Juniper SSG5 with the same firmware version 6.3.0r23.0.

A route based VPN set up between the two that is seemingly working.
SA - status is active and link is up. The tunnel is stable.

On both sites:
Ethernet0/0 is the outgoing interface that has access to the internet.
Ethernet0/0 is in the untrust zone (untrust-vr).
The tunnel interface is configured in a zone called VPN (trust-vr) and Ethernet0/4.
The zone named Config (trust-vr), configured on both sites is what the VPN shall interconnect.

SiteA
Ethernet0/0 is configured with a Static ip
Ethernet0/4 10.1.1.0/24
The tunnel interface is named tunnel.1
Config zone 10.238.135.96/24 GW 10.238.135.97 (manageable)

SiteB
Ethernet0/0 Dynamic IP behind a NAT
Ethernet0/4 172.16.10.0/24
The tunnel interface is named tunnel.2
Config zone 10.238.135.128/28 GW 10.238.135.129 (manageable)

I have followed a KB article (KB15075) to configure Route Based LAN to LAN VPN using pre shared secrets to remote site with dynamically assigned IP addresses.

I don’t have any hosts connected yet so I am only trying to pass traffic between the gateways and I am testing with http/https between the sites.

The problem I am having is that I get a “packet dropped, no route” on the other site when trying the access it’s gateway.

The below logs is from when I from SiteA, using http, to SiteB’s gateway, 10.238.135.129, from a laptop with IP 10.238.135.101.

The packet got all the way to SiteB, but is dropped because it cannot find a route.

As you can see below there should be a route, if I understand correctly there is no route loops.

I added the debug log from SiteA too at the bottom of the post.

The problem is the same both ways.

Could anyone help me shed some light on this, what is causing the “packet dropped, no route”?

SiteB - debug log:

****** packet decapsulated, type=ipsec, len=64******
ipid = 24716(608c), @038c2238
tunnel.2:10.238.135.101/49532->10.238.135.129/80,6<Root>
no session found
flow_first_sanity_check: in <tunnel.2>, out <N/A>
chose interface tunnel.2 as incoming nat if.
flow_first_routing: in <tunnel.2>, out <N/A>
search route to (tunnel.2, 10.238.135.101->10.238.135.129) in vr trust-vr for vsd-0/flag-0/ifp-null
cached route 0 for 10.238.135.129
no route to (10.238.135.101->10.238.135.129) in vr trust-vr/0
packet dropped, no route
first pak no session
**** pak processing end.

SiteB - Routing

SiteB-> get route ip 10.238.135.129
 Dest for 10.238.135.129
--------------------------------------------------------------------------------------
trust-vr       : => 10.238.135.129/32 (id=14) via 0.0.0.0 (vr: trust-vr)
                    Interface bgroup1 , metric 0

potential routes in other vrouters:

untrust-vr     : => 0.0.0.0/0 (id=31) via 192.168.2.1 (vr: untrust-vr)
                    Interface ethernet0/0 , metric 1



IPv4 Dest-Routes for <untrust-vr> (3 entries)
--------------------------------------------------------------------------------------
         ID          IP-Prefix      Interface         Gateway   P Pref    Mtr     Vsys
--------------------------------------------------------------------------------------
*        31          0.0.0.0/0         eth0/0     192.168.2.1   C    0      1     Root
*         1     192.168.2.0/24         eth0/0         0.0.0.0   C    0      0     Root
*         2   192.168.2.172/32         eth0/0         0.0.0.0   H    0      0     Root



IPv4 Dest-Routes for <trust-vr> (18 entries)
--------------------------------------------------------------------------------------
         ID          IP-Prefix      Interface         Gateway   P Pref    Mtr     Vsys
--------------------------------------------------------------------------------------
*        26          0.0.0.0/0            n/a      untrust-vr   S   20     10     Root
*        25   10.238.135.96/29          tun.2         0.0.0.0   S   20      1     Root
          1  10.238.135.104/30         eth0/1         0.0.0.0   C    0      0     Root
          2  10.238.135.105/32         eth0/1         0.0.0.0   H    0      0     Root
          9  10.238.135.108/30       eth0/3.3         0.0.0.0   C    0      0     Root
         10  10.238.135.109/32       eth0/3.3         0.0.0.0   H    0      0     Root
          3  10.238.135.112/30         eth0/2         0.0.0.0   C    0      0     Root
          4  10.238.135.113/32         eth0/2         0.0.0.0   H    0      0     Root
         12   10.238.135.65/32       eth0/3.4         0.0.0.0   H    0      0     Root
         11   10.238.135.64/27       eth0/3.4         0.0.0.0   C    0      0     Root
          8   10.238.135.33/32       eth0/3.2         0.0.0.0   H    0      0     Root
         23     172.16.10.0/24         eth0/4         0.0.0.0   C    0      0     Root
          7   10.238.135.32/27       eth0/3.2         0.0.0.0   C    0      0     Root
          6    10.238.135.1/32       eth0/3.1         0.0.0.0   H    0      0     Root
          5    10.238.135.0/27       eth0/3.1         0.0.0.0   C    0      0     Root
*        24     172.16.10.0/32         eth0/4         0.0.0.0   H    0      0     Root
*        14  10.238.135.129/32        bgroup1         0.0.0.0   H    0      0     Root
*        13  10.238.135.128/28        bgroup1         0.0.0.0   C    0      0     Root

SiteA - debug log:

***** 1988340.0: <Config/bgroup1> packet received [64]******
ipid = 61148(eedc), @03945790
packet passed sanity check.
flow_decap_vector IPv4 process
bgroup1:10.238.135.101/49505->10.238.135.129/80,6<Root>
no session found
flow_first_sanity_check: in <bgroup1>, out <N/A>
chose interface bgroup1 as incoming nat if.
flow_first_routing: in <bgroup1>, out <N/A>
search route to (bgroup1, 10.238.135.101->10.238.135.129) in vr trust-vr for vsd-0/flag-0/ifp-null
cached route 29 for 10.238.135.129
[ Dest] 29.route 10.238.135.129->10.238.135.129, to tunnel.1
routed (x_dst_ip 10.238.135.129) from bgroup1 (bgroup1 in 0) to tunnel.1
policy search from zone 100-> zone 107
policy_flow_search policy search nat_crt from zone 100-> zone 107
RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 10.238.135.129, port 80, proto 6)
No SW RPC rule match, search HW rule
swrs_search_ip: policy matched id/idx/action = 12/1/0x9
Permitted by policy 12
No src xlate NHTB entry search not found: vpn none tif tunnel.1 nexthop 10.238.135.129
matched tunnel-id <0x0000000f>
choose interface tunnel.1 as outgoing phy if
no loop on ifp tunnel.1.
session application type 6, name HTTP, nas_id 0, timeout 300sec
service lookup identified service 0.
flow_first_final_check: in <bgroup1>, out <tunnel.1>
existing vector list 107-30c6764.
Session (id:8045) created for first pak 107
flow_first_install_session======>
handle cleartext reverse route
search route to (tunnel.1, 10.238.135.129->10.238.135.101) in vr trust-vr for vsd-0/flag-3000/ifp-bgroup1
cached route 20 for 10.238.135.101
[ Dest] 20.route 10.238.135.101->10.238.135.101, to bgroup1
route to 10.238.135.101
cached arp entry with MAC 0026b0e55c64 for 10.238.135.101
arp entry found for 10.238.135.101
ifp2 bgroup1, out_ifp bgroup1, flag 00800801, tunnel ffffffff, rc 1
flow got session.
flow session id 8045
flow_main_body_vector in ifp bgroup1 out ifp tunnel.1
flow vector index 0x107, vector addr 0x30c6764, orig vector 0x30c6764
tcp head size = 44, opt_size=24
MSS found 0x05b4
adjust outbound vpn tcp mss.
tcp seq check.
Got syn, 10.238.135.101(49505)->10.238.135.129(80), nspflag 0x801801, 0x2800
post addr xlation: 10.238.135.101->10.238.135.129.
skipping pre-frag
going into tunnel 4000000f.
flow_encrypt: pipeline.
chip info: PIO. Tunnel id 0000000f
(vn2) doing ESP encryption and size =80
ESP-tunnel packet, set dscp to 0(tos 0)
ipsec encrypt prepare engine done
ipsec encrypt set engine done
POLL_DROP_PAK: vlist 0x30c6764, 0x30c6780
ipsec encrypt engine released
ipsec encrypt done
put packet(3c4e750) into flush queue.
remove packet(3c4e750) out from flush queue.

**** jump to packet:[SiteA—external-IP]>[SiteB-external-IP]
packet encapsulated, type=ipsec, len=136
ipid = 51190(c7f6), @03945764
going into tunnel c000000f.
flow_encrypt: enc vector=e3bef0.
packet encapsulated, type=natt, len=144
ipid = 51190(c7f6), @0394575c
out encryption tunnel c000000f gw:[SiteA-external-GW]
no more encapping needed
send out through normal path.
flow_ip_send: c7f6:[SiteA—external-IP]->[SiteB-external-IP],17 => ethernet0/0(144) flag 0x0, vlan 0
mac 00192fe607d9 in session
packet send out to 00192fe607d9 through ethernet0/0
**** pak processing end.

I have a Routing and Remote Access Server behind my SSG and I would like to use it for L2TP VPN. When I try to forward UDP 500 using VIP on my interface, I get a message saying it's not supported, 500 is for management of the box.

I'm also currently using site-to-site VPN which I imagine is using port 500 on the same interface. Is this what is stopping me?

Would there be any way around this? My goal is to allow clients such as Windows PCs and iOS devices to connect to my network without using a certificate and instead a preshared key -- which RRAS supports.

Hi,

I 'simply' need to remove a VPN tunnel from my SSG 140 firewall.

When I go to the VPN>Auto Key and hit rrmove on the tunnel I need to delete, I get the following message...

This VPN has tunnel interface binding. Please remove the binding first.

I've tried going and unbinding the interface but it;s alerady ser to none.

I'm, really stuck, don't want to remove anything that will break existing tunnels.

Any help will be greatly apprecuiated.

PS. Don;t ask me to go into the CLI, I'm not that confodent with the CLI and worry I'll break something else.

Manuy Thanks,

Hello,

       It a SG140 FW. I have a device in trust network which I want it to be seen by DMZ device by using MIP 1 to 1. I don't want to use any routing between DMZ and trust network. Anyway to do it?Example of IP below.

0/0 Trust Network = 192.168.1.254 

0/1 DMZ network = 10.1.1.254

Actual trust network IP device=192.168.1.10. I want to map this IP to 10.1.1.250. So my device in DMZ can ping 10.1.1.250 which are refering to 192.168.1.10 host.

Appreciate any advise.

Hi,

On the ssg 550 firewall,

Ftp or otherwise

Can I send the log to another server as a compressed file?

Please answer me.

Thank you.

Hello New to the foruma.  I have issue when trying to transfer larger files like 2 to 3 Mbps through different zones in the SSG5.  I did a get inter eth0/3 and see below it shows a half-duplex connection.  What is really weird is I dont see any collisions on the interfaces just bad performance.  I am connecting to a HP HP V1910-48G Switch.  I am pretty sure that the performance I am getting when copying between zones is from the half duplex..  My transfer rates are like 300Kbps but if I dont go through the firewall and both devices are in the same zone it is lighing fast.  Can anyone help should there be collisions that show up?

Interface ethernet0/3(VSI):
description ethernet0/3
number 7, if_info 2856, if_index 0, mode route
link inactive, phy-link up/half-duplex
status change:1, last change:09/12/2016 04:04:14
vsys Root, zone Logicor, vr trust-vr, vsd 0

Hi,

I about to configure PBR on my customer ssg550 production device,

so it seems i need apply the PBR on subinterface.

is anyone has ever tried configure PBR and apply it on subinterface?

is this will work? because i doesn't have ssg device to test and make sure it 

Thank you