Solved

How do I debug a routing problem on a Juniper SSG-140 Firewall?

Posted on 2009-05-11
26
6,211 Views
Last Modified: 2013-12-12
 I have a Juniper SSG-140 and I seem to be having a routing issue.  I am not very familiar with the management of the firewall, and only minimally familiar with networking.  I have a system on my network that cannot access the internet.  I went to the command line and did a tracert.  The last place it manages to traverse to is our firewall.  I can get into the management web page for the firewall, but I do not know how to show where (or why) the communication was blocked.
0
Comment
Question by:developmentguru
  • 14
  • 8
  • 2
  • +1
26 Comments
 
LVL 7

Expert Comment

by:willbaclimon
ID: 24358856
Where are you logging the syslog? If your not logging to a syslog server than look at the local logs at the time of the error via the cmd line or the gui. Worst case scenario there are debuging commands but you should be careful not to enable all at once.

-Will
0
 
LVL 68

Assisted Solution

by:Qlemo
Qlemo earned 350 total points
ID: 24359568
One way is to enable traffic log in each or some policies: go into the properties of your Internet policy, and check either session log or session begin option.
Then ping or tracert, and look into the policy table symbol of the Internet policy. If there are entries, routing is ok, and policy is hit. If not, either another policy was applied earlier, or routing is not ok.
If you do not look under policy, but Report > Policy, each policy will show a color table icon if records are stored, and a gray if no records are, but session/traffic logging is enabled.

The professional way would be to use the CLI (telnet/ssh):
clear dbuf
set ffilter dst-ip  12.34.56.78
debug flow drop
debug flow basic
(ping or tracert from workstation to above address 12.34.56.78)
undebug all
get dbug stream

The output might be much, but you can see keyphrases like "dropped by policy", which reveals why packets are dropped or passed.
0
 
LVL 21

Author Comment

by:developmentguru
ID: 24376310
 I apologize for the late reply, things got crazy here.  I need to state that I am one person in a two man IT department and we have no advanced networking expertise.  A local vendor came in and set up our firewall and left it.

  I mention all of this to give you both a clear understanding of why I will need more of a step by step explanation of how to do what you are suggesting.  I currently do not know how to check if logging is on.  I need to know if you want me to run through any given set of steps in the web interface or a hyper terminal type of program first.  I can go run through the set of steps you want me to and post the output.

  As a qualified expert in several Delphi programming zones I realize how easy it is to forget... how much you know, that many people do not.  I would appreciate comments on the steps to tell me what they are for even.  I assume CLI stands for command line interface?

  Thanks in advance for your patience.
0
 
LVL 68

Assisted Solution

by:Qlemo
Qlemo earned 350 total points
ID: 24376578
Uh, then there is a lot to deal with ... Yes, CLI is command line interface, reachable with ssh (putty) or telnet. It is useful for fast access to all infos. However, if you do not know much, you will use WebUI (http) access.

Are you talking about no-one is able to use Internet? Or it is only one of many systems? The latter would lead to a simple policy or routing problem, the former to a total misconfiguration.
0
 
LVL 21

Author Comment

by:developmentguru
ID: 24380663
There is one system that cannot use internet.  The system can be pinged.  If the IP address is changed then the system can access the internet.  Change the IP back and it no longer works.  When I run a tracert it ends at the firewall.
0
 
LVL 2

Assisted Solution

by:stagira
stagira earned 150 total points
ID: 24384532
Hi,

the first thing to do, is to be able to manage the firewall. is-it the case ? did you have all acces trhough it?
i mean:

is the web-ui working ?
is the ssh working ?
is the local serial working ?

you need at least the first and the second one.

and did you have administrator access ?

if not, please tell us.

Second be sure that the SSG can reach your host, and if the host can reach the firewall.

you tell that the system can be pinged, from the ssg ? you have a reply ?

so from the ssg, in the console (serial or ssh), please do the following command:

# the following tell how the ssg kponw to reach your host
get route ip YOUR-HOST-IP

# this one, wihch policy is involved  for packet reaching your host,
get policy dst-ip YOUR-HOST-IP

# this one, wihch policy is involved  for packet comming from your host,
get policy src-ip YOUR-HOST-IP

More, if you want  to know, which policy is permiting traffic from/to your host:

get policy dst-ip YOUR-HOST-IP action permit
get policy src-ip YOUR-HOST-IP action permit

if the result is NULL, then you must create one.

More, if you want  to know, which policy is denying traffic from/to your host:

get policy dst-ip YOUR-HOST-IP action deny
get policy dst-ip YOUR-HOST-IP action reject

get policy src-ip YOUR-HOST-IP action deny
get policy src-ip YOUR-HOST-IP action reject

As Qlemo says, there is a lot to deal with ....
0
 
LVL 68

Assisted Solution

by:Qlemo
Qlemo earned 350 total points
ID: 24385026
The policy checks of stagira are not working if the IP is part of an address group.
My first attempt would be to check
  get config | include 1\.2\.3\.4where 1.2.3.4 is the client's IP address. This will show if anything is configured especially for this address.
0
 
LVL 2

Assisted Solution

by:stagira
stagira earned 150 total points
ID: 24398420
Hi,

yes, personnaly i always begin with the

get config | include ....something....

it is a good start. Here as we have a routing issue, we first need to check if the firewall know were to send the packets, then the policy check, to check if the packet are permited or not.

developmentguru, first try:

-  to manage your box,

- then play with the routing tables,

- then check the policy,

This is the better path.

I also recommend you to go to http://kb.juniper.net/ to search for documentation.
0
 
LVL 21

Author Comment

by:developmentguru
ID: 24418155
I am sorry about my delayed response... I am writing this at home as I have not had enough time to check on it at work.  I plan to examine all of the attempts tomorrow and let you know.  Thanks for the effort all.
0
 
LVL 21

Author Comment

by:developmentguru
ID: 24421076
I tried the
get config | include 1\.2\.3\.4

and got this:

set interface "ethernet0/2" mip 1.2.3.0 host 10.1.1.250 netmask 255.255.255.255 vr "trust-vr"
set interface "ethernet0/2" mip 1.2.3.2 host 10.1.1.254 netmask 255.255.255.255 vr "trust-vr"
set interface "ethernet0/2" mip 1.2.3.1 host 10.1.1.25 netmask 255.255.255.255 vr "trust-vr"

Any clues from this?

0
 
LVL 21

Author Comment

by:developmentguru
ID: 24421083
The original IP in question was 10.1.1.25...
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 24421183
That's the output of get config | incl 10\.1\.1\.25, I suppose?

The last MIP is saying that this special IP address is mapped to 1.2.3.1 - very strange. I reckon this IP address will be valid in Internet, and be routed to somewhere else than your NetScreen. Issue an
unset interface "ethernet0/2" mip 1.2.3.1
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 21

Author Comment

by:developmentguru
ID: 24430946
I just put 1.2.3.1 as a mask for the real address it gave me.  the final number 0/2/1 is real.  I was not here when the IP addresses were assigned.  I suppose it is possible that that IP address is no longer mapped to our external T1... How would I go about testing?  Perhaps I could remove that routing and see if internet access works on 10.1.1.25?  Any suggestions would be appreciated.  This is back to the original question, how do I fix what is blocking internet from that IP.
0
 
LVL 21

Author Comment

by:developmentguru
ID: 24430957
I guess before I try the unset command I want to be sure I know how to put it back (in case it does not fix anything).  I got stuck on the idea that the masked IP I gave you was confusing and did not read the command.  Let me know how to reset it if I need to and I will give that a try.
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 24430969
Just remove the DIP. You have the command to restore it (above set interface ...), if you need it again.
0
 
LVL 21

Author Comment

by:developmentguru
ID: 24432088
I just talked to one of the two consultants that were involved in setting this up.  I am told that they suspect we had an intrusion attempt made on that IP address and that the firewall shut it down.  How could I test to see if that is true (or reset it if it is)?  
0
 
LVL 68

Assisted Solution

by:Qlemo
Qlemo earned 350 total points
ID: 24432543
The event log shows you if a Screening feature came in and closed the IP temporarily. (get event  or in WebUI Reports, System).

But that is humbug. Screening applies temoprarily, and it closes single ports or source addresses. You would not have screening active on your Trust interface, usually, and on Untrust only public IPs should be excluded.

Did you, at last, remove the DIP to try if it works?
0
 
LVL 21

Author Comment

by:developmentguru
ID: 24433067
failed command - unset interface "ethernet0/2" is not found.
0
 
LVL 21

Author Comment

by:developmentguru
ID: 24433077
mip(10.1.1.25) mask(255.255.255.255) for ethernet0/2 is not found.
0
 
LVL 21

Author Comment

by:developmentguru
ID: 24433085
Mip: Not Found
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 24433190
The command is

unset interface eth0/2 mip 1.2.3.1

If errors appear, the MIP is used in a policy. Then you have to search for the MIP address (1.2.3.1), not 10.1.1.25, in the same manner as before.

0
 
LVL 21

Author Comment

by:developmentguru
ID: 24434260
OK, I ran the command wrong before.  Thanks for the correction.  As soon as I ran the corrected command it gave me this:


Mip ip(a.b.c.1) host(10.1.1.25) is in use
Mip: can't be removed

Failed command - unset interface "ethernet0/2" mip a.b.c.1


When I ran the get config on the outside portion of the address I got this:


set interface "ethernet0/2" mip a.b.c.1 host 10.1.1.25 netmask 255.255.255.255 vr "trust-vr"
set policy id 35 name "RDP - Citrix" from "Untrust" to "Trust"  "Any" "MIP(a.b.c.1)" "Citrix -ICA" permit log


I changed the 1.2.3.1 I was using to mask the actual IP address to use letters in the mask... the IP address is irrelevant other than that it match when I type the commands in.  Where you see the a.b.c.1 it represents the external IP address in this setup.
0
 
LVL 68

Accepted Solution

by:
Qlemo earned 350 total points
ID: 24434406
You will have to look if that policy does only apply for that MIP, by
get pol id 35
Should there be more than this MIP address, it's getting difficult, and you should use WebUI to remove this MIP from the policy.
Else you can unset the policy
unset pol id 35
And after this, you should be able to remove the MIP on interface.

0
 
LVL 21

Author Comment

by:developmentguru
ID: 24437823
I am at home so I cannot test at the moment, but if I remove the policy and remove the MIP on Interface... and still have the issue... what should I check then?
0
 
LVL 21

Author Closing Comment

by:developmentguru
ID: 31580121
I really appreciate the time and effort you put into this.  You have given me information that I will refer to often in the future.  Thanks for all the help.
0

Featured Post

Complete Microsoft Windows PC® & Mac Backup

Backup and recovery solutions to protect all your PCs & Mac– on-premises or in remote locations. Acronis backs up entire PC or Mac with patented reliable disk imaging technology and you will be able to restore workstations to a new, dissimilar hardware in minutes.

Join & Write a Comment

Suggested Solutions

I annotated my article on ransomware somewhat extensively, but I keep adding new references and wanted to put a link to the reference library.  Despite all the reference tools I have on hand, it was not easy to find a way to do this easily. I finall…
If your app took Google’s lash recently, here are the 5 most likely reasons.
The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…
XMind Plus helps organize all details/aspects of any project from large to small in an orderly and concise manner. If you are working on a complex project, use this micro tutorial to show you how to make a basic flow chart. The software is free when…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now