Solved

Juniper SSG-140 not reaching devices on VLAN

Posted on 2014-07-23
12
824 Views
Last Modified: 2014-08-05
Have a Juniper SSG-140 connected to a HP PROCURVE 2530 (J9775A) and also a SSL VPN connected to the same switch.

If i configure a interface with ex. DMZ, i am able to reach the SSL VPN, but if i create a vlan on the switch, tag the SSL VPN and the SSG port i cannot reach it. (i also tagged the port on the SSG using the SUB INTERFACE.

The switch have the default VLAN with a IP configured, is this ok?

Maybe the DEFAULT_VLAN having a configured IP is causing this?
0
Comment
Question by:manolocruz
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 2
12 Comments
 

Author Comment

by:manolocruz
ID: 40215475
No one?
0
 
LVL 70

Expert Comment

by:Qlemo
ID: 40216152
What does SSL VPN mean exactly? Is this another device terminating a VPN, so the SSG sees just another IP?
Maybe showing a small sketch of the relevant network participants would help much.
0
 

Author Comment

by:manolocruz
ID: 40216346
Is a MAG2600, another device.
0
Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

 

Author Comment

by:manolocruz
ID: 40216420
basically, a SSG-140 as follows:

0/0 - UNTRUST
0/1 - SW 1 - Port 1
0/2 - SW 2 - Port 1
0/3 - SW 1 - Port 3
0/4 - SW 2 - Port 3
0/5 - SW 1 - Port 5
0/6 - SW 2 - Port 5
0/7 - UNTRUST TO SSG140 (B)
0/8 - HA to SSG-140 (B)
0/9 - SW 1 Port 24

MAG 2600 SSL VPN connected on port 24 on SW 1

I bridged ports 0/3 and 0/4, created sub interface DMZ VLAN ID95, later MANAGEMENT will another VLAN here, with VLAN ID 42.

On Switch Created VLAN 95, tagged ports 3, 4 and 20.

Ports 0/1, 0/2, 0/3 and 0/4 are another bridge group, which later i will configure as TRUST and created several VLAN's, like SALES, MARKETING etc...
0
 
LVL 70

Expert Comment

by:Qlemo
ID: 40216537
You certainly haven't the MAG and SSG on Sw1-24 ;-). But I get what you mean. So IF 0/9 on SSG should be the "VPN connection".

You are doing a lot of tagging, and use multiple connections to the same switch. You know that it makes things more complicated? You usually either assign a VLAN tag at each switch port or in the interfaces, but not both. You also don't need to use separate ports for different VLANs on the SSG side, as you might know - the routing info should be sufficient to separate traffic, and using too many zones gets confusing with all the rules you'll need for interzone traffic.

I'm still struggling with getting the right picture, and will need some guru meditation about that ;-).
0
 

Author Comment

by:manolocruz
ID: 40216550
The whole thing about vlans is to have everything in a HA configuration, we do have 2 firewalls, 2 switches and 2 MAG2600.
as the SSG's have 10 ports, we are using 2 for HA, 1 for untrust, leaving us with 6 for redundancy, 4 for the TRUST, which is the biggest traffic, 2 for management and DMZ.
TRUST cannot see or reach DMZ or management..
One thing that i noted now, is that the previous guy, configured a IP to the DEFAULT_VLAN, which i believe is wrong, ip should only be configured on the the MANAGEMENT VLAN, right?
0
 

Author Comment

by:manolocruz
ID: 40216707
Appreciate that!
thanks very much
0
 
LVL 9

Expert Comment

by:David Piniella
ID: 40220288
If you want TRUST to see the Management or DMZ, you're going to have to add routing to do that.

Is the IP that's been configured part of the VLAN that you're adding?
0
 

Author Comment

by:manolocruz
ID: 40232362
Solved!

it was a misconfiguration on SW.
0
 

Accepted Solution

by:
manolocruz earned 0 total points
ID: 40232375
for some strange reason, router wan't receiving TAG back from switch...

After a factory default on switch and reconfiguration, everything is working as it is supposed to.
0
 

Author Closing Comment

by:manolocruz
ID: 40240749
after contacting juniper and HP support we were able to find and solve the issue.
0

Featured Post

Manage your data center from practically anywhere

The KN8164V features HD resolution of 1920 x 1200, FIPS 140-2 with level 1 security standards and virtual media transmissions at twice the speed. Built for reliability, the KN series provides local console and remote over IP access, ensuring 24/7 availability to all servers.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For many of us, the  holiday season kindles the natural urge to give back to our friends, family members and communities. While it's easy for friends to notice the impact of such deeds, understanding the contributions of businesses and enterprises i…
Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question