asked on

Why when using our Juniper SSG320 as default router are connections to other subnets are dropped or reset?

We recently moved from a Watchguard Firebox firewall to a Juniper SSG 320. We have 7 total locations/branches and they all can access the Internet via the Juniper. The Juniper has static routing entries for each of the branches. I can ping any system at any branch from the main office and I can ping anything at any branch from any other branch... so it appears routing is set up. Here is the problem:

When users attempt to utilize our Intranet or other services hosted at our main branch (where the Juniper is located and is the default route) they are unable to access anything. I can ping, but I cannot ssh or telnet or anything else. If I enter static routes to each of the branches in the servers everything works as it should.

Is there a setting in the Juniper I am missing? Could there be an ARP issue?

As a side note, I still have the Watchguard online (with a different internal IP address than it used to have) and I can still get to the Internet (via a different ISP which we are cancelling).

dpk_wal

By default watchguard allows traffic between the subnets which are on the same physical interface [secondary networks]; however by default in Juniper firewalls intrazone traffic is blocked.

If you wish to open traffic between two subnets which are on the same zone (say trust); then you need to have a policy which would explicitly allow the traffic as below:
set policy id x from trust to trust source-subnet remote-subnet application permit
set policy id x from trust to trust remote-subnet source-subnet application permit

In above CLI, source-subnet and remote-subnet are addresses which are already added; for application if you wish all traffic then you specify "any".

Thank you.

jasoncraddock

ASKER

Thank you dpk_wal. I have entered the policies as described in your solution. I am still experiencing the issue, though. I can still connect to another subnet, but the connection (VNC, for example) only last for 10 or so seconds. HTTP connections never get fully established.

I have posted a snippet of the config from the firewall fo you to look over.

Thanks again for your assistance.

set policy id 20 name "Main to Lindon" from "Trust" to "Trust"  "172.22.83.0/24" "172.22.89.0/24" "ANY" permit 
set policy id 20
exit
set policy id 21 name "Lindon to Main" from "Trust" to "Trust"  "172.22.89.0/24" "172.22.83.0/24" "ANY" permit 
set policy id 21
exit
set policy id 22 from "Trust" to "Trust"  "172.22.83.0/24" "172.22.90.0/24" "ANY" permit 
set policy id 22
exit
set policy id 23 name "SOB 2 Main" from "Trust" to "Trust"  "172.22.90.0/24" "172.22.83.0/24" "ANY" permit 
set policy id 23
exit
set policy id 24 name "Main to PG" from "Trust" to "Trust"  "172.22.83.0/24" "172.22.85.0/24" "ANY" permit 
set policy id 24
exit
set policy id 25 name "PG to Main" from "Trust" to "Trust"  "172.22.85.0/24" "172.22.83.0/24" "ANY" permit 
set policy id 25
exit
set policy id 26 name "Payson to Main" from "Trust" to "Trust"  "172.22.88.0/24" "172.22.83.0/24" "ANY" permit 
set policy id 26
exit
set policy id 27 from "Trust" to "Trust"  "172.22.83.0/24" "172.22.88.0/24" "ANY" permit 
set policy id 27
exit
set policy id 28 name "Springville to Main" from "Trust" to "Trust"  "172.22.86.0/24" "172.22.83.0/24" "ANY" permit 
set policy id 28
exit
set policy id 29 name "Main to Springville" from "Trust" to "Trust"  "172.22.83.0/24" "172.22.86.0/24" "ANY" permit 
set policy id 29
exit
set policy id 30 name "AF to Main" from "Trust" to "Trust"  "172.22.84.0/24" "172.22.83.0/24" "ANY" permit 
set policy id 30
exit
set policy id 31 name "Main to AF" from "Trust" to "Trust"  "172.22.83.0/24" "172.22.84.0/24" "ANY" permit 
set policy id 31
exit

Open in new window

dpk_wal

Have you added the subnets like 172.22.83.0/24 as network addresses on the needed zone. Also, wanted to make sure all these subnets are actually part of the trust zone or are they on different zones; in Juniper all policies are based on zones; the sample CLI I posted was keeping in mind that the subnets are on the trust zone themselves.

Thank you.

jasoncraddock

ASKER

I just verified the config and the addresses are included in the trust zone only. Physically, they are all internal, trusted networks, too.

dpk_wal

can you enable logging for the policies by appending "log" keyword at the end, for eg:
set policy id x from trust to untrust any any any permit log

and then check the logs as:
get log traffic

Finally, if nothing comes up we can use debug:
debug flow basic --- to start debug
clear db --- to clear db
get db stream --- to show the packets

We would now know what is blocking the traffic.

Thank you.

jasoncraddock

ASKER

OK. Logging enabled.
I've attached the logging information. It looks like the connection lasted 19 seconds and was closed out due to "AGE OUT"

2008-10-15 11:16:33	172.22.83.74:49927 	172.22.89.30:5900	172.22.83.74:49927	172.22.89.30:5900	TCP PORT 5900	19 sec.	9736	0	Close - AGE OUT

Open in new window

dpk_wal

Is the traffic coming back; can you ensure that the machines have SSG as the default gateway; and not any other device.

Please update.

Thank you.

jasoncraddock

ASKER

When I look at the logging for the policy which permits the traffic to flow back there is nothing listed. Here is how they connect to everything:

Branch A has the Juniper and other routers for the branches. All branches connect to branch A for service. Branch B has a small Cisco router which is that branch's default route. The router is connected via a T1 to another Cisco router at Branch A. The Cisco router at Branch A has a default route of the Juniper firewall. The only thing I can see is that traffic flowing from Branch B to Branch A will not hit the Juniper because the Cisco router located at Branch A is on the same subnet and does not need to route packets within its subnet.

All branches are set up in a similar fashion.

dpk_wal

I am assuming your network diagram is as I have attached below.

Then you should have created routes on SSG320 to reach different subnets using the IP of router A [which is on the same subnet as the interface IP of SSG320]; further you also need route on each router to first forward all the traffic to router A and on router A to then forward the traffic to SSG320.

If all the above routes are in place then the things should work.

Please check and update.

Thank you.
Q-23814589.JPG

jasoncraddock

ASKER

I am out of the office for knee surgery. I will reply with a diagram later tonight. Sorry for the delay. Thanks again for your input

jasoncraddock

ASKER

I've attached a small diagram of our layout.
The Juniper has all the static routes to each branch included in its config.

What I *think* is happening is this:

System at branch A initiates a session with a system at another branch. The session starts and the other branch system communicates via its router on branch A side, completely bypassing the Juniper. The Juniper never "sees" the response from the other branch and terminates the initial session.

Any ideas on how to work around this? I know I can set a default route to be one of the Cisco routers and have it handle the work, I am just trying to avoid that for now.

Thanks again
routers.png

ASKER CERTIFIED SOLUTION

dpk_wal

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

jasoncraddock

ASKER

Thank you. Will try later today when I get back in.

jasoncraddock

ASKER

sorry... recovery from knee surgery is taking longer than I thought. I do not have access to the firewall from home. I will try to get in early next week and give this a try.

I believe the route-map on the Cisco devices is the way to go, I just need to figure out exactly how to implement it.

dpk_wal

No problem please update per your convenience; have a speedy recovery! :)

jasoncraddock

ASKER

Thanks for your help. Sorry for the delay in rewarding points!