Solved

juniper ssg320 intrazone configration issues Close - AGE OUT

Posted on 2013-01-27
9
2,331 Views
Last Modified: 2013-03-20
We have one main office and another small office that holds only 5 people. We have recently setup OpenVPN on our main office and created a bridged vpn between our main office LAN and a windows 2003 server sitting in the small office. The windows 2003 server has 2 NICs one it uses to interface with the main office which has network 192.168.0.0 /20 and another it uses to talk to the local network on 192.168.16.0/24

In the main office we have a juniper SSG320 firewall but in the small office we have no firewall at the moment. The computers in the main office can now ping and access resources on the windows 2003 server in the small office and beyond including resources on the 192.168.16.0/24 network but when we try the otherway around , computers beyond the windows 2003 server can ping any machine in the main office but if they try to access any shared file in the main office or intranet machine or anything on this network then it fails.

We have looked at the juniper firewall and we have even setup some policies that allow traffic from the other network however, we are getting Close - AGE OUT and Close - RESP on the firewall log.

Any help would be highly appreciated.
0
Comment
Question by:aniga42
  • 4
  • 4
9 Comments
 
LVL 68

Expert Comment

by:Qlemo
ID: 38824558
The SSG can be kept off the calculation, since you implement a OpenVPN tunnel between the offices. OpenVPN traffic needs to pass the firewall, and that is all it sees. So your issue is more related to the OpenVPN config.

Can you explain why you use two NICs in the branch office? It should work much better if you just use the primary NIC (for the LAN), and nothing else.

Please tell more about your current OpenVPN config. In particular what you mean by "bridged VPN".
0
 

Author Comment

by:aniga42
ID: 38826947
Qlemo, thank for you response.

Our openVPN config file is :
local 192.168.0.59
port 1194
up "/etc/openvpn/up.sh br0"
down "/etc/openvpn/down.sh br0"
proto udp
dev tap0
ca ca.crt
cert openvpn.crt
key openvpn.key
dh dh1024.pem
ifconfig-pool-persist ipp.txt
server-bridge 192.168.0.59 255.255.240.0 192.168.6.72 192.168.6.175
push "route 192.168.0.0 255.255.240.0"
push "dhcp-option DNS 192.168.0.2"
push "dhcp-option DOMAIN mclellan.local"
keepalive 10 120
tls-auth ta.key 0 # This file is secret
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
log         /var/log/openvpn/openvpn.log
status /var/log/openvpn-status.log
verb 3

Open in new window


and when I say bridged I mean the computer that is running the openvpn client is bridged to the rest of the network hence why it can get resources (this machine is windows 2003 AD) whereas other machines that are in the other office which connect to this windows 2003 server that is running the client machine cannot get resources from the external network.

Other machines are able to see the extended network through the windows 2003 server which is running a windows routing and remote access to designate the next hop for all packets going to 192.168.0.0/20

The connection and the routing seem to be OK as they are able to ping internal computers on the 192.168.0.0/20 network but when they try to access files our firewall is dropping these connections and this I believe is where the problem lies.

Please see a diagram I quickly drew of our network attached.

Once again, Many thanks for your time and effort

Network design
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 38827203
Do you have any proof of "but when they try to access files our firewall is dropping these connections"?
0
 

Author Comment

by:aniga42
ID: 38827354
Yes, we have a proof on the firewall log, please see attached screenshot
Firewall log
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 68

Accepted Solution

by:
Qlemo earned 500 total points
ID: 38827758
What the logs show is related to PING (or DNS), and is a normal close as soon as the response is sent/received. It would have puzzled me if you had seen anything VPN related here.

The OpenVPN config above is for a Linux server (192.168.5.5) in your main office.

All in all, your config is kind of complicated. I'm still trying to figure out the details ;-).

I'm assuming you did not set up particular routes on clients in 192.168.0.0/20 for how to get to 192.168.16.0/24, or set them to ask the SSG to route further. The SSG will then route to the OpenVPN server, which again sends traffic to the W2003 server & OpenVPN client. The OpenVPN client will NOT perform address translation. The reply is sent via W2003 -> OpenVPN Server -> LAN, skipping the SSG.
This works because traffic is initiated on the SSG side, creating sessions with the proper flags. It is called asymetric routing, since the packets take a different way for request and reply.

Traffic originating from the branch will not pass the Juniper, only replies will - and exactly that is the issue then. The SSG is receiving reply traffic for sessions it never created, and hence dismisses that. That is a feature to protect from unwanted traffic, and reduce processing time. To switch off that feature, start a telnet against SSG, and issue
  unset flow tcp-syn-check
0
 

Author Comment

by:aniga42
ID: 38933537
Qlemo: Thank you very much for the info. I fell ill and did not come to the office for a while hence my lack of response.

I have tested the  "unset flow tcp-syn-check" command and it seems to do the trick however after an hour or so this resets itself and I am forced to do the command again manually.

Do you know of any way I can have this traffic trusted permanently?

Many thanks once again.
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 38933577
Sounds as if the CLI session is terminated, and the config rolled back. Issue a
  save
after you have changed the setting. That should make it persistent.
0
 

Author Comment

by:aniga42
ID: 38933603
Thank you very much for your support. I will have that tested.
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

Using in-flight Wi-Fi when you travel? Business travelers beware! In-flight Wi-Fi networks could rip the door right off your digital privacy portal. That’s no joke either, as it might also provide a convenient entrance for bad threat actors.
It’s 2016. Password authentication should be dead — or at least close to dying. But, unfortunately, it has not traversed Quagga stage yet. Using password authentication is like laundering hotel guest linens with a washboard — it’s Passé.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now