Solved

juniper ssg320 intrazone configration issues Close - AGE OUT

Posted on 2013-01-27
9
2,416 Views
Last Modified: 2013-03-20
We have one main office and another small office that holds only 5 people. We have recently setup OpenVPN on our main office and created a bridged vpn between our main office LAN and a windows 2003 server sitting in the small office. The windows 2003 server has 2 NICs one it uses to interface with the main office which has network 192.168.0.0 /20 and another it uses to talk to the local network on 192.168.16.0/24

In the main office we have a juniper SSG320 firewall but in the small office we have no firewall at the moment. The computers in the main office can now ping and access resources on the windows 2003 server in the small office and beyond including resources on the 192.168.16.0/24 network but when we try the otherway around , computers beyond the windows 2003 server can ping any machine in the main office but if they try to access any shared file in the main office or intranet machine or anything on this network then it fails.

We have looked at the juniper firewall and we have even setup some policies that allow traffic from the other network however, we are getting Close - AGE OUT and Close - RESP on the firewall log.

Any help would be highly appreciated.
0
Comment
Question by:aniga42
  • 4
  • 4
9 Comments
 
LVL 69

Expert Comment

by:Qlemo
ID: 38824558
The SSG can be kept off the calculation, since you implement a OpenVPN tunnel between the offices. OpenVPN traffic needs to pass the firewall, and that is all it sees. So your issue is more related to the OpenVPN config.

Can you explain why you use two NICs in the branch office? It should work much better if you just use the primary NIC (for the LAN), and nothing else.

Please tell more about your current OpenVPN config. In particular what you mean by "bridged VPN".
0
 

Author Comment

by:aniga42
ID: 38826947
Qlemo, thank for you response.

Our openVPN config file is :
local 192.168.0.59
port 1194
up "/etc/openvpn/up.sh br0"
down "/etc/openvpn/down.sh br0"
proto udp
dev tap0
ca ca.crt
cert openvpn.crt
key openvpn.key
dh dh1024.pem
ifconfig-pool-persist ipp.txt
server-bridge 192.168.0.59 255.255.240.0 192.168.6.72 192.168.6.175
push "route 192.168.0.0 255.255.240.0"
push "dhcp-option DNS 192.168.0.2"
push "dhcp-option DOMAIN mclellan.local"
keepalive 10 120
tls-auth ta.key 0 # This file is secret
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
log         /var/log/openvpn/openvpn.log
status /var/log/openvpn-status.log
verb 3

Open in new window


and when I say bridged I mean the computer that is running the openvpn client is bridged to the rest of the network hence why it can get resources (this machine is windows 2003 AD) whereas other machines that are in the other office which connect to this windows 2003 server that is running the client machine cannot get resources from the external network.

Other machines are able to see the extended network through the windows 2003 server which is running a windows routing and remote access to designate the next hop for all packets going to 192.168.0.0/20

The connection and the routing seem to be OK as they are able to ping internal computers on the 192.168.0.0/20 network but when they try to access files our firewall is dropping these connections and this I believe is where the problem lies.

Please see a diagram I quickly drew of our network attached.

Once again, Many thanks for your time and effort

Network design
0
 
LVL 69

Expert Comment

by:Qlemo
ID: 38827203
Do you have any proof of "but when they try to access files our firewall is dropping these connections"?
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:aniga42
ID: 38827354
Yes, we have a proof on the firewall log, please see attached screenshot
Firewall log
0
 
LVL 69

Accepted Solution

by:
Qlemo earned 500 total points
ID: 38827758
What the logs show is related to PING (or DNS), and is a normal close as soon as the response is sent/received. It would have puzzled me if you had seen anything VPN related here.

The OpenVPN config above is for a Linux server (192.168.5.5) in your main office.

All in all, your config is kind of complicated. I'm still trying to figure out the details ;-).

I'm assuming you did not set up particular routes on clients in 192.168.0.0/20 for how to get to 192.168.16.0/24, or set them to ask the SSG to route further. The SSG will then route to the OpenVPN server, which again sends traffic to the W2003 server & OpenVPN client. The OpenVPN client will NOT perform address translation. The reply is sent via W2003 -> OpenVPN Server -> LAN, skipping the SSG.
This works because traffic is initiated on the SSG side, creating sessions with the proper flags. It is called asymetric routing, since the packets take a different way for request and reply.

Traffic originating from the branch will not pass the Juniper, only replies will - and exactly that is the issue then. The SSG is receiving reply traffic for sessions it never created, and hence dismisses that. That is a feature to protect from unwanted traffic, and reduce processing time. To switch off that feature, start a telnet against SSG, and issue
  unset flow tcp-syn-check
0
 

Author Comment

by:aniga42
ID: 38933537
Qlemo: Thank you very much for the info. I fell ill and did not come to the office for a while hence my lack of response.

I have tested the  "unset flow tcp-syn-check" command and it seems to do the trick however after an hour or so this resets itself and I am forced to do the command again manually.

Do you know of any way I can have this traffic trusted permanently?

Many thanks once again.
0
 
LVL 69

Expert Comment

by:Qlemo
ID: 38933577
Sounds as if the CLI session is terminated, and the config rolled back. Issue a
  save
after you have changed the setting. That should make it persistent.
0
 

Author Comment

by:aniga42
ID: 38933603
Thank you very much for your support. I will have that tested.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Bypass website domain blocking for certain computers connected to SonicWALL TZ 210 wireless-N router 6 101
SSL VPN 3 31
ASA configuration 2 29
Network Security Solution 7 45
This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question