?
Solved

Juniper Says : "The device was unable to reach the entitlement server to retrieve license keys"

Posted on 2011-10-27
40
Medium Priority
?
1,604 Views
Last Modified: 2012-05-12
I've updated DNS server and set time to my real time zone correctly but i still get the following error :

The device was unable to reach the entitlement server to retrieve license keys

how should i overcome this issue
0
Comment
Question by:3XLcom
  • 21
  • 17
  • 2
40 Comments
 
LVL 32

Expert Comment

by:dpk_wal
ID: 37038718
Have a look at article below:
http://kb.juniper.net/InfoCenter/index?page=content&id=KB6926

Please check and update.

Thank you.
0
 

Author Comment

by:3XLcom
ID: 37038819
I've updated dns server as described

and the result from ssh :



SSG520-> ping google.com
Bad IP address google.com.

jun-dns.png
0
 
LVL 18

Expert Comment

by:Sanga Collins
ID: 37038875
are you able to ping the DNS servers you have configured from a console session?
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
LVL 32

Expert Comment

by:dpk_wal
ID: 37038919
So it seems SSG is not able to reach the DNS server.

Can you ping the DNS Server IP from SSG. I was able to ping both servers from my laptop.

For security reason please do not post complete IP; you should mask two octets for security reasons.

Once everything is configured properly; AV update should work.

Thank you.
0
 

Author Comment

by:3XLcom
ID: 37038935
This is so strange no i am not :s and also i am not able to ping google ip :(

but it is impossible because device connected to  the internet and it transfer nearly 80 Mbit connection right now to the network :S


SSG520-> ping 208.67.222.222
Type escape sequence to abort

Sending 5, 100-byte ICMP Echos to 208.67.222.222, timeout is 1 seconds
ip 208.67.222.222 is unreachable in vr trust-vr

Success Rate is 0 percent.




SSG520-> ping 74.125.39.106
Type escape sequence to abort

Sending 5, 100-byte ICMP Echos to 74.125.39.106, timeout is 1 seconds
ip 74.125.39.106 is unreachable in vr trust-vr

Success Rate is 0 percent.

Open in new window

0
 

Author Comment

by:3XLcom
ID: 37038958
symptoms that i detect :
I am able to ping trust network but not able to ping untrust network.
I am able to ping from untrust network to trust network servers.
I am able to ping from trust network servers to untrust network.
I am able to ping jun from trust network and also Web ui and SSH is working from trust network
I am not able to use ssh , web ui and ping from untrusted network.


I've give my config below there is only one out connection with V1-Untrust 4th port of juni.


set clock timezone 0
set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
exit
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 1646
set admin name "root"
set admin password "****************************"
set admin http redirect
set admin mail alert
set admin mail server-name "mail.salay.com.tr"
set admin mail mail-addr1 "c.e@salay.com.tr"
set admin mail traffic-log
set admin auth timeout 10
set admin auth server "Local"
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "DMZ" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst 
set zone "Untrust" block 
unset zone "Untrust" tcp-rst 
set zone "MGT" block 
unset zone "V1-Untrust" no-dhcp-relay
set zone "DMZ" tcp-rst 
set zone "VLAN" block 
unset zone "VLAN" tcp-rst 
set zone "Trust" screen icmp-flood
set zone "Untrust" screen icmp-flood
set zone "Untrust" screen udp-flood
set zone "Untrust" screen winnuke
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "Untrust" screen ip-bad-option
set zone "Untrust" screen icmp-large
set zone "V1-Untrust" screen on-tunnel
set zone "V1-Untrust" screen icmp-flood
set zone "V1-Untrust" screen udp-flood
set zone "V1-Untrust" screen winnuke
set zone "V1-Untrust" screen ip-sweep
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ip-spoofing
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set zone "V1-Untrust" screen syn-frag
set zone "V1-Untrust" screen tcp-no-flag
set zone "V1-Untrust" screen ip-bad-option
set zone "V1-Untrust" screen ip-record-route
set zone "V1-Untrust" screen ip-timestamp-opt
set zone "V1-Untrust" screen ip-security-opt
set zone "V1-Untrust" screen ip-loose-src-route
set zone "V1-Untrust" screen ip-strict-src-route
set zone "V1-Untrust" screen ip-stream-opt
set zone "V1-Untrust" screen icmp-fragment
set zone "V1-Untrust" screen icmp-large
set zone "V1-Untrust" screen syn-fin
set zone "V1-Untrust" screen fin-no-ack
set zone "V1-Untrust" screen limit-session source-ip-based
set zone "V1-Untrust" screen syn-ack-ack-proxy
set zone "V1-Untrust" screen block-frag
set zone "V1-Untrust" screen limit-session destination-ip-based
set zone "V1-Untrust" screen icmp-id
set zone "V1-Untrust" screen ip-sweep threshold 1000
set zone "V1-Untrust" screen udp-flood threshold 250
set zone "V1-Untrust" screen limit-session source-ip-based 16
set zone "V1-Untrust" screen limit-session destination-ip-based 512
set zone "V1-Untrust" screen syn-ack-ack threshold 32
set zone "Trust" screen syn-flood timeout 50
set zone "V1-Untrust" screen syn-flood alarm-threshold 16
set zone "V1-Untrust" screen syn-flood attack-threshold 8
set zone "V1-Untrust" screen syn-flood source-threshold 8
set interface "ethernet0/0" zone "V1-Trust"
set interface "ethernet0/1" zone "V1-Trust"
set interface "ethernet0/2" zone "V1-Trust"
set interface "ethernet0/3" zone "V1-Untrust"
set interface vlan1 ip xxx.xxx.xxx.37/24
set interface "ethernet0/1" pmtu ipv4
set interface "ethernet0/2" pmtu ipv4
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface vlan1 manage-ip xxx.xxx.xxx.38
set interface vlan1 ip manageable
set interface vlan1 manage mtrace
set zone V1-Untrust manage ping
set zone V1-Untrust manage ssh
set zone V1-Untrust manage telnet
set zone V1-Untrust manage snmp
set zone V1-Untrust manage ssl
set zone V1-Untrust manage web
unset flow no-tcp-seq-check
set flow tcp-syn-check
unset flow tcp-syn-bit-check
set flow reverse-route clear-text prefer
set flow reverse-route tunnel always
set domain firewall.salay.com.tr
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set dns host dns1 208.67.222.222 src-interface vlan1
set dns host dns2 208.67.220.220 src-interface vlan1
set dns host dns3 0.0.0.0
set group address "V1-Untrust" "Syn"
set ike respond-bad-spi 1
unset ike ikeid-enumeration
unset ike dos-protection
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit
set attack db sigpack base
set av all fail-mode traffic permit
set url protocol websense
set server src-interface vlan1
exit
set anti-spam profile ns-profile
 set sbl default-server enable
exit
set policy id 2 from "V1-Untrust" to "V1-Trust"  "Any" "Any" "ANY" permit log 
set policy id 2 av "ns-profile"
set policy id 2 anti-spam ns-profile
set policy id 2
set log session-init
exit
set policy id 3 from "V1-Trust" to "V1-Untrust"  "Any" "Any" "ANY" permit log 
set policy id 3
exit
set syslog src-interface vlan1
set nsmgmt bulkcli reboot-timeout 60
set ssh version v2
set config lock timeout 5
unset license-key auto-update
set snmp community "PRTG" Read-Write Trap-on  traffic version v2c
set snmp host "PRTG" xxx.xxx.xxx.7 255.255.255.255 src-interface vlan1 trap v2
set snmp location "Izmir"
set snmp contact "Cahit Eyigünlü"
set snmp name "SSG520"
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
exit
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit

Open in new window

0
 

Author Comment

by:3XLcom
ID: 37038973
Sorry for miswritings :

I am able to ping trust network but not able to ping untrust network From Juniper.
I am able to ping from untrust network to trust network servers.From My Laptop
I am able to ping from trust network servers to untrust network.From My Server to Google for ex.
I am able to ping juni. from trust network and also Web ui and SSH is working from trust network
I am not able to use ssh , web ui and ping from untrusted network.
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 37038983
You have firewall in L2 transparent mode; so you should check you network for ping issues as the firewall is only acting at L2.
Can you ping from other network entities and if you take the firewall off; does that resolve the ping issue.
0
 

Author Comment

by:3XLcom
ID: 37039020
No chance i've disabled all screen options but still not able to untrusted network from the device
0
 
LVL 18

Expert Comment

by:Sanga Collins
ID: 37039029
dpk_wal beat me to the punch!

Ya looks like layer2 mode is your setup. So there is probably something else in the network causing your issues.
0
 

Author Comment

by:3XLcom
ID: 37039058
I am not sure from this part :

set interface vlan1 ip xxx.xxx.xxx.37/24
set interface "ethernet0/1" pmtu ipv4
set interface "ethernet0/2" pmtu ipv4
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface vlan1 manage-ip xxx.xxx.xxx.38

My router ip is xxx.xxx.xxx.1 and juniper web ui ip is xxx.xxx.xxx.38

Do you think for interface vlan1 ip bold part is correct with xxx.xxx.xxx.37 or do i need to change it to xxx.xxx.xxx.1
0
 

Author Comment

by:3XLcom
ID: 37039096
Very strange other thing i am able to ping from router :


I am able to ping router and ping from router also  but on the router there is no limitation on access policies as you should see below so the juniper is not able to access to the other networks only.

router is on untrusted port

xxxxxxxx#ping xxx.xxx.xxx.37

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to xxx.xxx.xxx.37, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/9 ms
xxxxxxxx#ping xxx.xxx.xxx.38

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to xxx.xxx.xxx.38, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/8 ms
xxxxxxxx#show access-lists
Extended IP access list 101
    10 permit ip any any log (31067056 matches)
Extended IP access list 103
    10 deny ip host 46.45.171.100 host xxx.xxx.xxx.156
    20 permit tcp any host xxx.xxx.xxx.156 eq www (102924 matches)
    30 permit tcp any host xxx.xxx.xxx.156 eq 8443 (625 matches)
    40 permit tcp any host xxx.xxx.xxx.156 eq ftp (2 matches)
    50 permit tcp any host xxx.xxx.xxx.156 eq telnet (1 match)
    60 permit tcp any host xxx.xxx.xxx.156 eq pop3 (25 matches)
    70 permit tcp any host xxx.xxx.xxx.156 eq smtp (119 matches)
    80 permit tcp any host xxx.xxx.xxx.156 eq 443 (1 match)
    90 permit tcp any host xxx.xxx.xxx.156 eq 3389 (94680 matches)
    100 permit tcp any host xxx.xxx.xxx.156 eq domain
    110 permit udp any host xxx.xxx.xxx.156 eq domain (1459 matches)
    120 deny ip host 46.45.171.100 host xxx.xxx.xxx.162
    130 permit tcp any host xxx.xxx.xxx.162 eq www (349647 matches)
    140 permit tcp any host xxx.xxx.xxx.162 eq 8443 (108 matches)
    150 permit tcp any host xxx.xxx.xxx.162 eq ftp (1 match)
    160 permit tcp any host xxx.xxx.xxx.162 eq telnet
    170 permit tcp any host xxx.xxx.xxx.162 eq pop3 (36 matches)
    180 permit tcp any host xxx.xxx.xxx.162 eq smtp (118 matches)
    190 permit tcp any host xxx.xxx.xxx.162 eq 443 (1 match)
    200 permit tcp any host xxx.xxx.xxx.162 eq 3389 (106975 matches)
    210 permit tcp any host xxx.xxx.xxx.162 eq domain
    220 permit udp any host xxx.xxx.xxx.162 eq domain (747 matches)
    230 deny ip host 46.45.171.100 host xxx.xxx.xxx.163
    240 permit tcp any host xxx.xxx.xxx.163 eq www (75 matches)
    250 permit tcp any host xxx.xxx.xxx.163 eq 8443 (28 matches)
    260 permit tcp any host xxx.xxx.xxx.163 eq ftp
    270 permit tcp any host xxx.xxx.xxx.163 eq telnet (1 match)
    280 permit tcp any host xxx.xxx.xxx.163 eq pop3 (36 matches)
    290 permit tcp any host xxx.xxx.xxx.163 eq smtp (1 match)
    300 permit tcp any host xxx.xxx.xxx.163 eq 443 (5 matches)
    310 permit tcp any host xxx.xxx.xxx.163 eq 3389 (98515 matches)
    320 permit tcp any host xxx.xxx.xxx.163 eq domain
    330 permit udp any host xxx.xxx.xxx.163 eq domain (755 matches)
    340 deny ip any host xxx.xxx.xxx.156 (453235 matches)
    350 deny ip any host xxx.xxx.xxx.162 (808064 matches)
    360 deny ip any host xxx.xxx.xxx.163 (2186 matches)
    370 permit ip any any (28431430 matches)

Open in new window

0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 37039150
.37 is the interface IP; .38 is the IP used only for management [dedicated].

The policies on the firewall currently allow all outbound and inbound traffic; only that for inbound traffic AV inspection is also enabled.

so for transit traffic [not having source or destination as the device IP] ALL traffic should be permitted outbound and inbound. As device is in L2 mode; there is no NAT as the device is a bump in wire.

For device specific traffic; for now you can configure: set interface <name> manage [this would allow all traffic to device; remember to restrict traffic for security reason].

Again as I was saying; if you remove the firewall and connect your laptop directly are ping/DNS issues still seen?

Please update.
0
 

Author Comment

by:3XLcom
ID: 37039180
As i said router is on the untrusted side and ping the juni. so juni is not able to connect the other networks or is not able to answer other network's calls

so i found this :

http://kb.juniper.net/InfoCenter/index?page=content&id=KB21885

it says disable 802.1x but i should not find where to disable it
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 37039207
KB article is for SSL VPN; different product from what you are using SSG520 firewall/vpn device. Using your laptop can you bypass the firewall at L2 switch level and check results.
0
 

Author Comment

by:3XLcom
ID: 37039282
i am not able to reach from my laptop. but if i connect my laptop to router and get an ip lik xx.xx.xx.100 it is ok i should access so juni is not allow me to connect from any network except xx.xx.xx.0-255 rather then checking trust or untrust
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 37039368
As per my understand you have network something like this:

[internal network ultimately connecting to internet]---Cisco Router---SSG520---[network behind SSG]

My further understanding is that when you are connected directly into cisco router, through a L2 switch most possibly [or the cisco router is actually a L2/L3 switch], everything works. When you put laptop behind SSG520, you still should be able to ping /connect to everything else.

Please note as SSG520 is in L2 transparent mode; so there is no IP on SSG520 interfaces. The only IP on SSG520 is management IP .38; and also .37 [again for management].

You PC can be in any IP subnet behind SSG520; and as currently the policies on SSG allow both inbound and outbound traffic from ANY source to ANY destination using ANY port/protocol; so everything else should work.

Your cisco router would take care of routing. If you would traceroute, your first hop should be your cisco router.
0
 

Author Comment

by:3XLcom
ID: 37039404
This xxx.xxx.xxx.37 and 38 are ripe registered ip addresses and
i am able to connect any ip xxx.xxx.xxx.1 to 255 any ip from any place in the world except 37 - 38
there is no rule on the router for spesifically 37 and 38 i have other ip blocks registered on the ripe
for ex.
yyy.yyy.yyy.0-255 and i've checked that from a computer that connected router with yyy ip block is not able to connect while it has a yyy ip block . so the problem is on juni.

it does not allow me to do anything from other networks
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 37039459
Can you draw a rough diagram of your network with private IP subnets or with two middle octets masked for public IPs so we know what you are doing and how you are troubleshooting.

You know your network; but we do not, please provide details on your post so we understand what you testing and how you are testing. Your current posts are sorry but meaningless.
0
 

Author Comment

by:3XLcom
ID: 37039543
This is my network diagram.

i am able to ping juni from router.
i am able to ping router from my laptop
i am able to ping hp procurve switch from my laptop  
i am not able to ping juni from my laptop

juni get ip address correctly from router.

if i assign this ip to an other server on the network i am able to ping it from my laptop so there is no access rule on the cisco to block connections for juni ip addresses.


if i assign an ip from other networks to a computer in trusted zone it does not able to ping to juni again.

so the only logical answer is juni is not allow connections from the .



I've checked from the arp table of cisco it shows that the juni get ip address correctly also
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  xxx.xxx.xxx.15          38   b8ac.6f97.8271  ARPA   Vlan99
Internet  xxx.xxx.xxx.12           4   842b.2b62.6518  ARPA   Vlan99
Internet  xxx.xxx.xxx.13          25   0013.7261.11a2  ARPA   Vlan99
Internet  xxx.xxx.xxx.10           3   000e.7fec.1d8e  ARPA   Vlan99
Internet  xxx.xxx.xxx.11           0   Incomplete      ARPA
Internet  xxx.xxx.xxx.8          228   0010.7432.10cc  ARPA   Vlan99
Internet  xxx.xxx.xxx.6            1   000c.290d.5af5  ARPA   Vlan99
Internet  xxx.xxx.xxx.7            0   000c.29a8.0b1d  ARPA   Vlan99
Internet  xxx.xxx.xxx.4           11   001f.2964.8ce0  ARPA   Vlan99
Internet  xxx.xxx.xxx.5          229   001f.2964.8ce0  ARPA   Vlan99
Internet  xxx.xxx.xxx.2            0   0013.7261.11a2  ARPA   Vlan99
Internet  xxx.xxx.xxx.3           42   0013.7261.11a2  ARPA   Vlan99
Internet  xxx.xxx.xxx.1            -   0021.563e.9cc2  ARPA   Vlan99
Internet  xxx.xxx.xxx.30          10   000c.293f.8ec7  ARPA   Vlan99
Internet  xxx.xxx.xxx.31          11   0015.5d9c.980b  ARPA   Vlan99
Internet  xxx.xxx.xxx.24           0   000c.29c1.5c18  ARPA   Vlan99
Internet  xxx.xxx.xxx.25           0   000c.298f.39b5  ARPA   Vlan99
Internet  xxx.xxx.xxx.22           1   000c.29dc.64fe  ARPA   Vlan99
Internet  xxx.xxx.xxx.23           7   b8ac.6f97.7cc2  ARPA   Vlan99
Internet  xxx.xxx.xxx.17          14   001f.2964.8ce0  ARPA   Vlan99
Internet  xxx.xxx.xxx.42          37   b8ac.6f97.7f8d  ARPA   Vlan99
Internet  xxx.xxx.xxx.40         143   0014.7c4e.2f00  ARPA   Vlan99
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  xxx.xxx.xxx.38          36   0012.1eac.468f  ARPA   Vlan99
Internet  xxx.xxx.xxx.39           9   0025.6145.1e40  ARPA   Vlan99
Internet  xxx.xxx.xxx.37         229   0012.1eac.468f  ARPA   Vlan99
Internet  xxx.xxx.xxx.34          11   0015.5d9c.9810  ARPA   Vlan99
Internet  xxx.xxx.xxx.32          11   0015.5d9c.980b  ARPA   Vlan99
Internet  xxx.xxx.xxx.33          11   0015.5d9c.9810  ARPA   Vlan99
Internet  xxx.xxx.xxx.107          0   Incomplete      ARPA
Internet  xxx.xxx.xxx.127          4   b8ac.6f97.7f8b  ARPA   Vlan99
Internet  91.191.170.50           -   0021.563e.9cc3  ARPA   Vlan100
Internet  91.191.170.49          70   748e.f82a.3500  ARPA   Vlan100
Internet  xxx.xxx.xxx.141          8   b8ac.6f97.7cc0  ARPA   Vlan99
Internet  xxx.xxx.xxx.130          8   0050.56a2.0286  ARPA   Vlan99
Internet  xxx.xxx.xxx.128          7   0050.56a2.0283  ARPA   Vlan99
Internet  xxx.xxx.xxx.129         11   0050.56a2.0285  ARPA   Vlan99
Internet  xxx.xxx.xxx.158         11   0015.5d9c.9807  ARPA   Vlan99
Internet  xxx.xxx.xxx.159         11   0015.5d9c.9808  ARPA   Vlan99
Internet  xxx.xxx.xxx.156          1   0015.5d9c.980c  ARPA   Vlan99
Internet  xxx.xxx.xxx.157        191   0015.5d9c.980c  ARPA   Vlan99
Internet  xxx.xxx.xxx.154          2   0015.5d9c.980a  ARPA   Vlan99
Internet  xxx.xxx.xxx.155        228   0015.5d9c.9801  ARPA   Vlan99
Internet  xxx.xxx.xxx.152          0   d85d.4c83.5c6f  ARPA   Vlan99
Internet  xxx.xxx.xxx.175         15   000c.291a.6b59  ARPA   Vlan99
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  xxx.xxx.xxx.172          0   000c.2980.e5ca  ARPA   Vlan99
Internet  xxx.xxx.xxx.164         11   b8ac.6f97.826f  ARPA   Vlan99
Internet  xxx.xxx.xxx.162          0   0015.5d9c.9804  ARPA   Vlan99
Internet  xxx.xxx.xxx.163        229   0015.5d9c.9804  ARPA   Vlan99
Internet  xxx.xxx.xxx.190         11   0050.56a2.0201  ARPA   Vlan99
Internet  xxx.xxx.xxx.191         11   0050.56a2.0202  ARPA   Vlan99
Internet  xxx.xxx.xxx.188         10   0050.56a2.0212  ARPA   Vlan99
Internet  xxx.xxx.xxx.189          8   0050.56a2.0268  ARPA   Vlan99
Internet  xxx.xxx.xxx.186         11   001b.219b.7ba1  ARPA   Vlan99
Internet  xxx.xxx.xxx.187         10   0050.56a2.01fd  ARPA   Vlan99
Internet  xxx.xxx.xxx.184          1   000c.29e5.1800  ARPA   Vlan99
Internet  xxx.xxx.xxx.185          2   000c.29e5.1800  ARPA   Vlan99
Internet  xxx.xxx.xxx.180         11   000c.29e1.b1e0  ARPA   Vlan99
Internet  xxx.xxx.xxx.178          2   000c.29a7.1048  ARPA   Vlan99
Internet  xxx.xxx.xxx.179          2   000c.29a7.1048  ARPA   Vlan99
Internet  xxx.xxx.xxx.206         89   0050.56a2.027c  ARPA   Vlan99
Internet  xxx.xxx.xxx.207         11   0050.56a2.0270  ARPA   Vlan99
Internet  xxx.xxx.xxx.204         11   0050.56a2.027e  ARPA   Vlan99
Internet  xxx.xxx.xxx.205          3   0050.56a2.027d  ARPA   Vlan99
Internet  xxx.xxx.xxx.202         11   001b.219c.03d1  ARPA   Vlan99
Internet  xxx.xxx.xxx.203          9   0050.56a2.0282  ARPA   Vlan99
Internet  xxx.xxx.xxx.200        203   0050.56a2.0218  ARPA   Vlan99
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  xxx.xxx.xxx.201         11   0050.56a2.0219  ARPA   Vlan99
Internet  xxx.xxx.xxx.198         11   0050.56a2.020d  ARPA   Vlan99
Internet  xxx.xxx.xxx.199          9   0050.56a2.020e  ARPA   Vlan99
Internet  xxx.xxx.xxx.196         11   0050.56a2.020b  ARPA   Vlan99
Internet  xxx.xxx.xxx.197         11   0050.56a2.020c  ARPA   Vlan99
Internet  xxx.xxx.xxx.194          4   0050.56a2.026a  ARPA   Vlan99
Internet  xxx.xxx.xxx.195        226   0050.56a2.0208  ARPA   Vlan99
Internet  xxx.xxx.xxx.192         11   0050.56a2.025b  ARPA   Vlan99
Internet  xxx.xxx.xxx.193         11   0050.56a2.0204  ARPA   Vlan99
Internet  xxx.xxx.xxx.222          7   0050.56a2.0259  ARPA   Vlan99
Internet  xxx.xxx.xxx.223         11   0050.56a2.025a  ARPA   Vlan99
Internet  xxx.xxx.xxx.220         10   0050.56a2.0258  ARPA   Vlan99
Internet  xxx.xxx.xxx.221         11   0050.56a2.0254  ARPA   Vlan99
Internet  xxx.xxx.xxx.218         10   0050.56a2.0251  ARPA   Vlan99
Internet  xxx.xxx.xxx.219         10   0050.56a2.0257  ARPA   Vlan99
Internet  xxx.xxx.xxx.216          9   0050.56a2.0263  ARPA   Vlan99
Internet  xxx.xxx.xxx.217         10   0050.56a2.0262  ARPA   Vlan99
Internet  xxx.xxx.xxx.214         11   0050.56a2.0265  ARPA   Vlan99
Internet  xxx.xxx.xxx.215         11   0050.56a2.0264  ARPA   Vlan99
Internet  xxx.xxx.xxx.212         10   0050.56a2.026b  ARPA   Vlan99
Internet  xxx.xxx.xxx.213         10   0050.56a2.0269  ARPA   Vlan99
Internet  xxx.xxx.xxx.210         10   0050.56a2.026d  ARPA   Vlan99
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  xxx.xxx.xxx.211         10   0050.56a2.026c  ARPA   Vlan99
Internet  xxx.xxx.xxx.208          9   0050.56a2.0247  ARPA   Vlan99
Internet  xxx.xxx.xxx.209         11   0050.56a2.026e  ARPA   Vlan99
Internet  xxx.xxx.xxx.232          9   bc30.5bd1.aff8  ARPA   Vlan99
Internet  xxx.xxx.xxx.230         11   001b.219c.000a  ARPA   Vlan99
Internet  xxx.xxx.xxx.231          0   000c.2981.9633  ARPA   Vlan99
Internet  xxx.xxx.xxx.228         11   0010.180f.0f79  ARPA   Vlan99
Internet  xxx.xxx.xxx.229         11   0050.56a2.0261  ARPA   Vlan99
Internet  xxx.xxx.xxx.226          4   0050.56a2.025f  ARPA   Vlan99
Internet  xxx.xxx.xxx.227         11   0050.56a2.0260  ARPA   Vlan99
Internet  xxx.xxx.xxx.224          8   0050.56a2.025c  ARPA   Vlan99
Internet  xxx.xxx.xxx.225          0   0050.56a2.025e  ARPA   Vlan99
Internet  xxx.xxx.xxx.254          0   Incomplete      ARPA
Internet  xxx.xxx.xxx.251          0   000c.2958.504c  ARPA   Vlan99
Internet  xxx.xxx.xxx.248          1   000c.2958.504c  ARPA   Vlan99
Internet  xxx.xxx.xxx.249         38   000c.2958.504c  ARPA   Vlan99
Internet  xxx.xxx.xxx.242        225   000c.2925.53dd  ARPA   Vlan99
Internet  xxx.xxx.xxx.243        225   000c.2925.53dd  ARPA   Vlan99
Internet  xxx.xxx.xxx.240         11   000c.2925.53dd  ARPA   Vlan99
Internet  xxx.xxx.xxx.241        229   000c.2925.53dd  ARPA   Vlan99

Open in new window

design.png
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 37039596
>> juni get ip address correctly from router.
You have configured Juniper as L2 box; it does not have IP; only for management like a L2 switch; which is .37 or .38...or whatever you wish.

>>if i assign this ip to an other server on the network i am able to ping it from my laptop so there is no access rule on the cisco to block connections for juni ip addresses.
Please note the IP which you assign to Juniper is for management so you can telnet/ssh to SSG520. SSG would not use this IP for NAT or anything else.

>> if i assign an ip from other networks to a computer in trusted zone it does not able to ping to juni again.
Please note to pinf SSG520 you should be in the same IP subnet as the IP address on the vlan1 interface.

Thank you for the diagram but please also mention the IP subnets so we talk definitive and both know what is tested and tried.
0
 

Author Comment

by:3XLcom
ID: 37039630
Sir this ip adresses is not for private network this ip addresses are global ip addresses and router route correctly to devices the calls so juni is not accepting the calls from other networks :S this is strange
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 37039658
Lets use an example.
Let's say you have public IPs 1.1.1.1-1.1.1.255 and also another subnet 2.2.2.1-2.2.2.255.

Please map these two subnet on your network diagram and we can troubleshoot and see what is not working.
0
 

Author Comment

by:3XLcom
ID: 37039661
So there is no need for NAT or sth. else,
I am not able to connect telnet and ssh also from other networks.


forget about privacy check this out 77.2223.156.1 my router ip 77.223.156.37 and 38 my juni ip
and for ex. maxihayat.net is 77.223.156.4 and on the trusted zone if i change maxihayat.net ip address to 92.45.25.151 it is not able to ping 77.223.156.37 and 38
and also juni is not able to ping 92.45.25.151

so it is not accepting and not able to connect to other networks that is what i mean
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 37039720
Get me output of commands below:
get interface
get system

Please mask serial number; hostname, public IPs and other sensitive information.
0
 

Author Comment

by:3XLcom
ID: 37039730
check this out
SSG520-> get interface

A - Active, I - Inactive, U - Up, D - Down, R - Ready

Interfaces in vsys Root:
Name           IP Address                        Zone        MAC            VLAN                                                                                                                                                               State VSD
eth0/0         0.0.0.0/0                         V1-Trust    0012.1eac.4680    -                                                                                                                                                                 U   -
eth0/1         0.0.0.0/0                         V1-Trust    0012.1eac.4685    -                                                                                                                                                                 U   -
eth0/2         0.0.0.0/0                         V1-Trust    0012.1eac.4686    -                                                                                                                                                                 D   -
eth0/3         0.0.0.0/0                         V1-Untrust  0012.1eac.4687    -                                                                                                                                                                 U   -
vlan1          77.223.156.37/24                  VLAN        0012.1eac.468f    1                                                                                                                                                                 U   -
null           0.0.0.0/0                         Null        N/A               -                                                                                                                                                                 U   0
SSG520-> get system
Product Name: SSG-520
Serial Number: 0156052006000296, Control Number: 00000000
Hardware Version: 0000(0)-(00), FPGA checksum: 00000000, VLAN1 IP (77.223.156.37                                                                                                                                                              )
Software Version: 6.0.0r4.0, Type: Firewall+VPN
Feature: AV-K
Compiled by build_master at: Fri Jan 11 17:10:48 PST 2008
Base Mac: 0012.1eac.4680
File Name: screenos_image, Checksum: be2aa935
, Total Memory: 1024MB

Date 10/27/2011 20:39:02, Daylight Saving Time enabled
The Network Time Protocol is Disabled
Up 28 hours 49 minutes 8 seconds Since 26Oct2011:15:49:54
Total Device Resets: 1, Last Device Reset at: 10/25/2011 14:01:23

SSG520-> get interface

A - Active, I - Inactive, U - Up, D - Down, R - Ready

Interfaces in vsys Root:
Name           IP Address                        Zone        MAC            VLAN State VSD
eth0/0         0.0.0.0/0                         V1-Trust    0012.1eac.4680    -   U   -
eth0/1         0.0.0.0/0                         V1-Trust    0012.1eac.4685    -   U   -
eth0/2         0.0.0.0/0                         V1-Trust    0012.1eac.4686    -   D   -
eth0/3         0.0.0.0/0                         V1-Untrust  0012.1eac.4687    -   U   -
vlan1          77.223.156.37/24                  VLAN        0012.1eac.468f    1   U   -
null           0.0.0.0/0                         Null        N/A               -   U   0
SSG520-> get system
Product Name: SSG-520
Serial Number: 0156052006000296, Control Number: 00000000
Hardware Version: 0000(0)-(00), FPGA checksum: 00000000, VLAN1 IP (77.223.156.37)
Software Version: 6.0.0r4.0, Type: Firewall+VPN
Feature: AV-K
Compiled by build_master at: Fri Jan 11 17:10:48 PST 2008
Base Mac: 0012.1eac.4680
File Name: screenos_image, Checksum: be2aa935
, Total Memory: 1024MB

Date 10/27/2011 20:39:11, Daylight Saving Time enabled
The Network Time Protocol is Disabled
Up 28 hours 49 minutes 17 seconds Since 26Oct2011:15:49:54
Total Device Resets: 1, Last Device Reset at: 10/25/2011 14:01:23

System in transparent mode.

Use interface IP, Config Port: 80
Manager IP enforced: False
Manager IPs: 0

Address              Mask                 Vsys
-------------------- -------------------- --------------------
User Name: root

Interface ethernet0/0:
  description ethernet0/0
  number 0, if_info 0, if_index 0, mode xparent, port vlan 1
  link up, phy-link up/full-duplex
  vsys Root, zone V1-Trust, vr trust-vr
  *ip 0.0.0.0/0   mac 0012.1eac.4680
  bandwidth: physical 1000000kbps, configured egress [gbw 0kbps mbw 0kbps]
             configured ingress mbw 0kbps, current bw 0kbps
             total allocated gbw 0kbps
Interface ethernet0/1:
  description ethernet0/1
  number 5, if_info 5040, if_index 0, mode xparent, port vlan 1
  link up, phy-link up/full-duplex
  vsys Root, zone V1-Trust, vr trust-vr
  *ip 0.0.0.0/0   mac 0012.1eac.4685
  bandwidth: physical 1000000kbps, configured egress [gbw 0kbps mbw 0kbps]
             configured ingress mbw 0kbps, current bw 0kbps
             total allocated gbw 0kbps
Interface ethernet0/2:
  description ethernet0/2
  number 6, if_info 6048, if_index 0, mode xparent, port vlan 1
  link down, phy-link down
  vsys Root, zone V1-Trust, vr trust-vr
  *ip 0.0.0.0/0   mac 0012.1eac.4686
  bandwidth: physical 0kbps, configured egress [gbw 0kbps mbw 0kbps]
             configured ingress mbw 0kbps, current bw 0kbps
             total allocated gbw 0kbps
Interface ethernet0/3:
  description ethernet0/3
  number 7, if_info 7056, if_index 0, mode xparent, port vlan 1
  link up, phy-link up/full-duplex
  vsys Root, zone V1-Untrust, vr trust-vr
  *ip 0.0.0.0/0   mac 0012.1eac.4687
  bandwidth: physical 100000kbps, configured egress [gbw 0kbps mbw 0kbps]
             configured ingress mbw 0kbps, current bw 0kbps
             total allocated gbw 0kbps

Open in new window

0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 37039815
Thank you; now I understand what you are trying.

So, as you have two interface on trust side going into two L2 switches, you are changing IP from 77.x.x.4 to 92.x.x.151 and then the server loses connectivity.

Let me ask you this, let's say the juniper box is removed from network.
Case 1:
Your cisco router is on 77.x.x.1 and your server is on 77.x.x.4; everything works.
Case 2:
Now you change your server to 92.x.x.151 and router is still on 77.x.x.1, does your server still have complete network connectivity.

Case 3:
Now, we introduce SSG520; so now setup is: cisco router---[eth0/3-SSG520-eth0/0]---server
I am assuming that server still has complete reachability. In above case if we use physical interface eth0/1 in place of eth0/0; then there should not be any difference.

Case 4:
Same setup as case 3; just that we change server IP from 77.x.x.4 to 92.x.x.151; depending on answer of case 2 above; server would have connectivity or not.

Thank you.
0
 

Author Comment

by:3XLcom
ID: 37040027
Case 1:
Yes
Case 2:
Yes
Case 3:
Yes it has complete reachability
Case 4:
Server has connectivity
0
 

Author Comment

by:3XLcom
ID: 37040032
Case 4:
Server has connectivity
because gateways point router ip address 77.xx.xx.1
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 37040070
What is not working if all cases 1-4 work?
0
 

Author Comment

by:3XLcom
ID: 37040084
what do you mean with classes
0
 

Author Comment

by:3XLcom
ID: 37040115
Sorry i missread. all of them working the only problem juniper is not pinging other ip classes and global network it only work in 77.xx.xx.1 - 255
it cannot access other ip addresses and other ip addresses can not acces juni too
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 37040118
I think we both are on different pages here....

>> Case 4:
Server has connectivity
because gateways point router ip address 77.xx.xx.1

If server has connectivity; then explain to me what is not working.....I lost you here.

>> What is not working if all cases 1-4 work?
Wanted to ask what is not working....:)
0
 
LVL 32

Accepted Solution

by:
dpk_wal earned 2000 total points
ID: 37040224
Add default route on SSG520:
set vrouter trust-vr route 0.0.0.0/0 interface vlan1 gateway 77.x.x.1

This should get connectivity of Juniper from everywhere else.
0
 

Author Comment

by:3XLcom
ID: 37040231
Sir the problem is that

write 77.223.156.38 on your browser or ssh you won't be able to connect it or if i ping google from juniper it is not able to ping it.

juniper can access only the network wihch has ip address 77.223.156.1 - 255 and only ip addresses can reach juniper which has ip between this range again.

so juniper can not access the update servers and other points that is the problem i do not understand that why you do not understand me all the problem is that
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 37040242
Juniper did not had reverse route; so adding default route should solve the problem. Please check and update.
0
 

Author Closing Comment

by:3XLcom
ID: 37040249
At the end that resolved issue :D
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 37040263
Sorry took long time to find out; was getting confused with other things earlier.
0
 

Author Comment

by:3XLcom
ID: 37040310
:D but it is very strange for a L2 setted device to add a default route like it is working in L3 mode :) ok well i am happy to solve this out please check out my other SSG questions
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 37040329
The route is only for management; not for transit traffic. If you wish you can put specific subnet IP route; but then I think you would to add lot of route and as device is behind cisco route; adding default route is the simplest thing! :)
0

Featured Post

[Webinar] Cloud and Mobile-First Strategy

Maybe you’ve fully adopted the cloud since the beginning. Or maybe you started with on-prem resources but are pursuing a “cloud and mobile first” strategy. Getting to that end state has its challenges. Discover how to build out a 100% cloud and mobile IT strategy in this webinar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There are times where you would like to have access to information that is only available from a different network. This network could be down the hall, or across country. If each of the network sites have access to the internet, you can create a ne…
A 2007 NCSA Cyber Security survey revealed that a mere 4% of the population has a full understanding of firewalls. As business owner, you should be part of that 4% that has a full understanding.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question