Solved

Why when using our Juniper SSG320 as default router are connections to other subnets are dropped or reset?

Posted on 2008-10-14
16
1,963 Views
Last Modified: 2011-10-19
We recently moved from a Watchguard Firebox firewall to a Juniper SSG 320.  We have 7 total locations/branches and they all can access the Internet via the Juniper.  The Juniper has static routing entries for each of the branches.  I can ping any system at any branch from the main office and I can ping anything at any branch from any other branch... so it appears routing is set up.  Here is the problem:

When users attempt to utilize our Intranet or other services hosted at our main branch (where the Juniper is located and is the default route) they are unable to access anything.  I can ping, but I cannot ssh or telnet or anything else.  If I enter static routes to each of the branches in the servers everything works as it should.

Is there a setting in the Juniper I am missing?  Could there be an ARP issue?  

As a side note, I still have the Watchguard online (with a different internal IP address than it used to have) and I can still get to the Internet (via a different ISP which we are cancelling).
0
Comment
Question by:jasoncraddock
  • 9
  • 7
16 Comments
 
LVL 32

Expert Comment

by:dpk_wal
ID: 22718270
By default watchguard allows traffic between the subnets which are on the same physical interface [secondary networks]; however by default in Juniper firewalls intrazone traffic is blocked.

If you wish to open traffic between two subnets which are on the same zone (say trust); then you need to have a policy which would explicitly allow the traffic as below:
set policy id x from trust to trust source-subnet remote-subnet application permit
set policy id x from trust to trust remote-subnet source-subnet application permit

In above CLI, source-subnet and remote-subnet are addresses which are already added; for application if you wish all traffic then you specify "any".

Thank you.
0
 

Author Comment

by:jasoncraddock
ID: 22722407
Thank you dpk_wal.  I have entered the policies as described in your solution.  I am still experiencing the issue, though.  I can still connect to another subnet, but the connection (VNC, for example) only last for 10 or so seconds.  HTTP connections never get fully established.

I have posted a snippet of the config from the firewall fo you to look over.

Thanks again for your assistance.
set policy id 20 name "Main to Lindon" from "Trust" to "Trust"  "172.22.83.0/24" "172.22.89.0/24" "ANY" permit 

set policy id 20

exit

set policy id 21 name "Lindon to Main" from "Trust" to "Trust"  "172.22.89.0/24" "172.22.83.0/24" "ANY" permit 

set policy id 21

exit

set policy id 22 from "Trust" to "Trust"  "172.22.83.0/24" "172.22.90.0/24" "ANY" permit 

set policy id 22

exit

set policy id 23 name "SOB 2 Main" from "Trust" to "Trust"  "172.22.90.0/24" "172.22.83.0/24" "ANY" permit 

set policy id 23

exit

set policy id 24 name "Main to PG" from "Trust" to "Trust"  "172.22.83.0/24" "172.22.85.0/24" "ANY" permit 

set policy id 24

exit

set policy id 25 name "PG to Main" from "Trust" to "Trust"  "172.22.85.0/24" "172.22.83.0/24" "ANY" permit 

set policy id 25

exit

set policy id 26 name "Payson to Main" from "Trust" to "Trust"  "172.22.88.0/24" "172.22.83.0/24" "ANY" permit 

set policy id 26

exit

set policy id 27 from "Trust" to "Trust"  "172.22.83.0/24" "172.22.88.0/24" "ANY" permit 

set policy id 27

exit

set policy id 28 name "Springville to Main" from "Trust" to "Trust"  "172.22.86.0/24" "172.22.83.0/24" "ANY" permit 

set policy id 28

exit

set policy id 29 name "Main to Springville" from "Trust" to "Trust"  "172.22.83.0/24" "172.22.86.0/24" "ANY" permit 

set policy id 29

exit

set policy id 30 name "AF to Main" from "Trust" to "Trust"  "172.22.84.0/24" "172.22.83.0/24" "ANY" permit 

set policy id 30

exit

set policy id 31 name "Main to AF" from "Trust" to "Trust"  "172.22.83.0/24" "172.22.84.0/24" "ANY" permit 

set policy id 31

exit

Open in new window

0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 22722764
Have you added the subnets like 172.22.83.0/24 as network addresses on the needed zone. Also, wanted to make sure all these subnets are actually part of the trust zone or are they on different zones; in Juniper all policies are based on zones; the sample CLI I posted was keeping in mind that the subnets are on the trust zone themselves.

Thank you.
0
 

Author Comment

by:jasoncraddock
ID: 22722930
I just verified the config and the addresses are included in the trust zone only.  Physically, they are all internal, trusted networks, too.
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 22723331
can you enable logging for the policies by appending "log" keyword at the end, for eg:
set policy id x from trust to untrust any any any permit log

and then check the logs as:
get log traffic

Finally, if nothing comes up we can use debug:
debug flow basic --- to start debug
clear db --- to clear db
get db stream --- to show the packets

We would now know what is blocking the traffic.

Thank you.
0
 

Author Comment

by:jasoncraddock
ID: 22723472
OK.  Logging enabled.  
I've attached the logging information.  It looks like the connection lasted 19 seconds and was closed out due to "AGE OUT"
2008-10-15 11:16:33	172.22.83.74:49927 	172.22.89.30:5900	172.22.83.74:49927	172.22.89.30:5900	TCP PORT 5900	19 sec.	9736	0	Close - AGE OUT

Open in new window

0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 22723714
Is the traffic coming back; can you ensure that the machines have SSG as the default gateway; and not any other device.

Please update.

Thank you.
0
 

Author Comment

by:jasoncraddock
ID: 22723841
When I look at the logging for the policy which permits the traffic to flow back there is nothing listed.  Here is how they connect to everything:

Branch A has the Juniper and other routers for the branches.  All branches connect to branch A for service.  Branch B has a small Cisco router which is that branch's default route.  The router is connected via a T1 to another Cisco router at Branch A.  The Cisco router at Branch A has a default route of the Juniper firewall.  The only thing I can see is that traffic flowing from Branch B to Branch A will not hit the Juniper because the Cisco router located at Branch A is on the same subnet and does not need to route packets within its subnet.

All branches are set up in a similar fashion.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 32

Expert Comment

by:dpk_wal
ID: 22728664
I am assuming your network diagram is as I have attached below.

Then you should have created routes on SSG320 to reach different subnets using the IP of router A [which is on the same subnet as the interface IP of SSG320]; further you also need route on each router to first forward all the traffic to router A and on router A to then forward the traffic to SSG320.

If all the above routes are in place then the things should work.

Please check and update.

Thank you.
Q-23814589.JPG
0
 

Author Comment

by:jasoncraddock
ID: 22734798
I am out of the office for knee surgery.  I will reply with a diagram later tonight.  Sorry for the delay.  Thanks again for your input
0
 

Author Comment

by:jasoncraddock
ID: 22737454
I've attached a small diagram of our layout.
The Juniper has all the static routes to each branch included in its config.

What I *think* is happening is this:

System at branch A initiates a session with a system at another branch.  The session starts and the other branch system communicates via its router on branch A side, completely bypassing the Juniper.  The Juniper never "sees" the response from the other branch and terminates the initial session.

Any ideas on how to work around this?  I know I can set a default route to be one of the Cisco routers and have it handle the work, I am just trying to avoid that for now.

Thanks again
routers.png
0
 
LVL 32

Accepted Solution

by:
dpk_wal earned 500 total points
ID: 22737933
You can configure route map on cisco router; this would allow you configure routes based on specific subnet; so all traffic for branch A network from any of the routers would use SSG as the gateway and rest would use the default route as configured.

I am not a router expert so would not be able to help you best with the route maps; they are something like this [the syntax might not be 100% correct and there are many more options than the ones I listed]:
route-map <name> permit/deny <priority>
 match ip address <access-list-name>
 match interface <interface-name>

Thank you.
0
 

Author Comment

by:jasoncraddock
ID: 22740435
Thank you.  Will try later today when I get back in.
0
 

Author Comment

by:jasoncraddock
ID: 22751056
sorry... recovery from knee surgery is taking longer than I thought.  I do not have access to the firewall from home.  I will try to get in early next week and give this a try.

I believe the route-map on the Cisco devices is the way to go, I just need to figure out exactly how to implement it.
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 22751173
No problem please update per your convenience; have a speedy recovery! :)
0
 

Author Closing Comment

by:jasoncraddock
ID: 31506085
Thanks for your help.  Sorry for the delay in rewarding points!
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
Microservice architecture adoption brings many advantages, but can add intricacy. Selecting the right orchestration tool is most important for business specific needs.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now