Really strange network problem after Juniper SRX install

Two nights ago we removed a Juniper Netscreen SSG 5 and replaced it with a Juniper SRX 210. The company that performed the install tested everthing on their computers and the internet was accessible for them on our network so they called it a night and went home.

When we got in yesterday, some websites were available and some weren't. Strangely microsoft.com wasn't available. This made us think Conficker worm or DNS problem. After checking for both of these issues and determining that this wasn't the cuase, we thougtht that perhaps the problem was corrupted ARP tables on the Juniper or our switches. We rebooted every device on the system including all servers and networking infrastructure.

After all this the same random sites were not available.

The strange thing in all of this is that any device that was placed on the network prior to the Junpier SRX install is not able to access the random sites I noted above. The two computer consultants whose computers had never logged into our network until after the Juniper box was installed could access any site they wanted.

We are totally stumped. We can access some websites but in other cases we can't.

Any suggestions would be really appreciated
lowrycitoAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

rfc1180Commented:
run a 60 second ping test to the default gateway

ping -n 60 192.168.1.1

then a 60 second test to google.com

ping -n google.com

Also a pathping to google.com

output results  of the statistics at the end of the test (Do not include all 60 counts of each ping test, just the statistics).

Also, do you have a network diagram?
What is directly connected on the untrust side of the SRX (What type of Internet connectivity do you have)

Billy
0
lowrycitoAuthor Commented:
Stats for Default Gateway:

Ping statistics for 10.10.0.1:
    Packets: Sent = 60, Received = 60, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms

Stats for Google:

Ping statistics for 66.102.7.99:
    Packets: Sent = 60, Received = 60, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 16ms, Maximum = 19ms, Average = 16ms
Stats for ping -n google.com

Stats for yahoo

Ping statistics for 67.195.160.76:
    Packets: Sent = 60, Received = 58, Lost = 2 (3% loss),
Approximate round trip times in milli-seconds:
    Minimum = 91ms, Maximum = 96ms, Average = 91ms

I included yahoo.com becuase this is a website we can ping but we can't access in IE or Firefox or any other browser but the outside consultants could.

The only thing connected to the untrust zone on the Juniper is a Bonded T1 from our telco.

John
0
rfc1180Commented:
what were you using before the migration to the SRX, the SSG5 does not have any modular slots, what did you have the bonded T1 connected to before?

Billy
0
The Ultimate Tool Kit for Technolgy Solution Provi

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!

lowrycitoAuthor Commented:
the T1 is connected to the SRX box via ethernet coming from an Adtran the telco put in place. It is connected exactly the same as it was before on the SSG.

What I can't figture out is why the network consultants could connect to our network and have no problems connecting to any website but we can't.
0
rfc1180Commented:
>he T1 is connected to the SRX box via ethernet coming from an Adtran the telco put in place. It is connected exactly the same as it was before on the SSG.

cool,

Check to see if you are using a proxy in IE or any other browers, is the ssg5 still connected to the network, or did the consultants disconnect it from the network?

can you connect direct to the trust port of the SRX and access the Internet?

Do you have a network diagram?
0
ValutusCommented:
That sounds like an MTU issue... Can you post the SRX210 config?  
0
boogeymannCommented:
Post your srx config please.  Is the SSG still connected to the network?
Can you see the connection in the logs of the srx firewall?
0
lowrycitoAuthor Commented:
Turned out it was a bad SRX...JTAC RMAed the device.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
rfc1180Commented:
>Turned out it was a bad SRX...JTAC RMAed the device.
Nice, glad to hear you found out what the issue was
0
AodhCommented:
Hi,
I also had this issue with some of the websites mentioned above and others.  It turned out that it was the MSS size that was causing the issue.  Once this was reduced to 1350 all was well again
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.