Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


juniper ssg320 intrazone configration issues Close - AGE OUT

Posted on 2013-01-27
Medium Priority
Last Modified: 2013-03-20
We have one main office and another small office that holds only 5 people. We have recently setup OpenVPN on our main office and created a bridged vpn between our main office LAN and a windows 2003 server sitting in the small office. The windows 2003 server has 2 NICs one it uses to interface with the main office which has network /20 and another it uses to talk to the local network on

In the main office we have a juniper SSG320 firewall but in the small office we have no firewall at the moment. The computers in the main office can now ping and access resources on the windows 2003 server in the small office and beyond including resources on the network but when we try the otherway around , computers beyond the windows 2003 server can ping any machine in the main office but if they try to access any shared file in the main office or intranet machine or anything on this network then it fails.

We have looked at the juniper firewall and we have even setup some policies that allow traffic from the other network however, we are getting Close - AGE OUT and Close - RESP on the firewall log.

Any help would be highly appreciated.
Question by:aniga42
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
LVL 71

Expert Comment

ID: 38824558
The SSG can be kept off the calculation, since you implement a OpenVPN tunnel between the offices. OpenVPN traffic needs to pass the firewall, and that is all it sees. So your issue is more related to the OpenVPN config.

Can you explain why you use two NICs in the branch office? It should work much better if you just use the primary NIC (for the LAN), and nothing else.

Please tell more about your current OpenVPN config. In particular what you mean by "bridged VPN".

Author Comment

ID: 38826947
Qlemo, thank for you response.

Our openVPN config file is :
port 1194
up "/etc/openvpn/up.sh br0"
down "/etc/openvpn/down.sh br0"
proto udp
dev tap0
ca ca.crt
cert openvpn.crt
key openvpn.key
dh dh1024.pem
ifconfig-pool-persist ipp.txt
push "route"
push "dhcp-option DNS"
push "dhcp-option DOMAIN mclellan.local"
keepalive 10 120
tls-auth ta.key 0 # This file is secret
user nobody
group nogroup
log         /var/log/openvpn/openvpn.log
status /var/log/openvpn-status.log
verb 3

Open in new window

and when I say bridged I mean the computer that is running the openvpn client is bridged to the rest of the network hence why it can get resources (this machine is windows 2003 AD) whereas other machines that are in the other office which connect to this windows 2003 server that is running the client machine cannot get resources from the external network.

Other machines are able to see the extended network through the windows 2003 server which is running a windows routing and remote access to designate the next hop for all packets going to

The connection and the routing seem to be OK as they are able to ping internal computers on the network but when they try to access files our firewall is dropping these connections and this I believe is where the problem lies.

Please see a diagram I quickly drew of our network attached.

Once again, Many thanks for your time and effort

Network design
LVL 71

Expert Comment

ID: 38827203
Do you have any proof of "but when they try to access files our firewall is dropping these connections"?
Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!


Author Comment

ID: 38827354
Yes, we have a proof on the firewall log, please see attached screenshot
Firewall log
LVL 71

Accepted Solution

Qlemo earned 2000 total points
ID: 38827758
What the logs show is related to PING (or DNS), and is a normal close as soon as the response is sent/received. It would have puzzled me if you had seen anything VPN related here.

The OpenVPN config above is for a Linux server ( in your main office.

All in all, your config is kind of complicated. I'm still trying to figure out the details ;-).

I'm assuming you did not set up particular routes on clients in for how to get to, or set them to ask the SSG to route further. The SSG will then route to the OpenVPN server, which again sends traffic to the W2003 server & OpenVPN client. The OpenVPN client will NOT perform address translation. The reply is sent via W2003 -> OpenVPN Server -> LAN, skipping the SSG.
This works because traffic is initiated on the SSG side, creating sessions with the proper flags. It is called asymetric routing, since the packets take a different way for request and reply.

Traffic originating from the branch will not pass the Juniper, only replies will - and exactly that is the issue then. The SSG is receiving reply traffic for sessions it never created, and hence dismisses that. That is a feature to protect from unwanted traffic, and reduce processing time. To switch off that feature, start a telnet against SSG, and issue
  unset flow tcp-syn-check

Author Comment

ID: 38933537
Qlemo: Thank you very much for the info. I fell ill and did not come to the office for a while hence my lack of response.

I have tested the  "unset flow tcp-syn-check" command and it seems to do the trick however after an hour or so this resets itself and I am forced to do the command again manually.

Do you know of any way I can have this traffic trusted permanently?

Many thanks once again.
LVL 71

Expert Comment

ID: 38933577
Sounds as if the CLI session is terminated, and the config rolled back. Issue a
after you have changed the setting. That should make it persistent.

Author Comment

ID: 38933603
Thank you very much for your support. I will have that tested.

Featured Post

Tech or Treat!

Submit an article about your scariest tech experience—and the solution—and you’ll be automatically entered to win one of 4 fantastic tech gadgets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
In this article, we’ll look at how to deploy ProxySQL.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Suggested Courses

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question