Juniper ssg 140 is not letting bandwidth through
Greetings experts,
I have a Juniper SSG 140, firmware 6.1.0r2.0, there is an update.. I will upgrade tonight.
The problem is that my Internet speed tests are coming back at about 50 megs download, while I have a 200 meg connection. The upload is 20 meg and working fine.
I have rebooted everything. The only other thing I did was try and switch the link to auto from full-duplex. I ran the command: set interface e0\2 phy auto
When we hook a laptop directly into the cable modem and configure the static IP, we get the proper speed.
Any ideas on why the firewall isn’t letting the bandwidth through?
Below is a get interface of the Internet connection.
Thanks,
Kacey
NYCCD-Manhatan-> get interface e0/2
Interface ethernet0/2:
description ethernet0/2
number 6, if_info 4848, if_index 0, mode nat
link up, phy-link up/full-duplex
vsys Root, zone Untrust, vr trust-vr
dhcp client disabled
PPPoE disabled
admin mtu 0, operating mtu 1500, default mtu 1500
*ip xxxxxxxx
gateway xxxxxx
*manage ip xxxxxxxxx
route-deny disable
pmtu-v4 disabled
ping enabled, telnet disabled, SSH disabled, SNMP disabled
web disabled, ident-reset disabled, SSL disabled
DNS Proxy disabled, webauth disabled, g-arp enabled, webauth-ip 0.0.0.0
OSPF disabled BGP disabled RIP disabled RIPng disabled mtrace disabled
PIM: not configured IGMP not configured
NHRP disabled
bandwidth: physical 100000kbps, configured egress [gbw 0kbps mbw 0kbps]
configured ingress mbw 0kbps, current bw 0kbps
total allocated gbw 0kbps
DHCP-Relay disabled at interface level
DHCP-server disabled
sw session infinity loop 0
Number of SW session: 47068, hw sess err cnt 0
NYCCD-Manhatan->
I have a Juniper SSG 140, firmware 6.1.0r2.0, there is an update.. I will upgrade tonight.
The problem is that my Internet speed tests are coming back at about 50 megs download, while I have a 200 meg connection. The upload is 20 meg and working fine.
I have rebooted everything. The only other thing I did was try and switch the link to auto from full-duplex. I ran the command: set interface e0\2 phy auto
When we hook a laptop directly into the cable modem and configure the static IP, we get the proper speed.
Any ideas on why the firewall isn’t letting the bandwidth through?
Below is a get interface of the Internet connection.
Thanks,
Kacey
NYCCD-Manhatan-> get interface e0/2
Interface ethernet0/2:
description ethernet0/2
number 6, if_info 4848, if_index 0, mode nat
link up, phy-link up/full-duplex
vsys Root, zone Untrust, vr trust-vr
dhcp client disabled
PPPoE disabled
admin mtu 0, operating mtu 1500, default mtu 1500
*ip xxxxxxxx
gateway xxxxxx
*manage ip xxxxxxxxx
route-deny disable
pmtu-v4 disabled
ping enabled, telnet disabled, SSH disabled, SNMP disabled
web disabled, ident-reset disabled, SSL disabled
DNS Proxy disabled, webauth disabled, g-arp enabled, webauth-ip 0.0.0.0
OSPF disabled BGP disabled RIP disabled RIPng disabled mtrace disabled
PIM: not configured IGMP not configured
NHRP disabled
bandwidth: physical 100000kbps, configured egress [gbw 0kbps mbw 0kbps]
configured ingress mbw 0kbps, current bw 0kbps
total allocated gbw 0kbps
DHCP-Relay disabled at interface level
DHCP-server disabled
sw session infinity loop 0
Number of SW session: 47068, hw sess err cnt 0
NYCCD-Manhatan->
ASKER
right.. any idea why I would only get the 50?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
ok, it doesn't make sense that I would only get 50 down, but what I'll do is go in tomorrow and try and put the WAN on one of the gigabit ports. I'll comment back tomorrow afternoon after this is done.
thanks for your help..
thanks for your help..
Of course you also need to use the other GBit port for LAN, or expect to be capped at 80 MBit or so.
ASKER
right..
ASKER
This is the first time I'm attempting to used the gigabit ports. As luck would have it, I don't know how...
I tried to give port 0/9 or 0/8 a static IP and set the zone to untrust.. this did not work. I unset the IP for 0/2 (the original untrust) which did nothing. I changed the zone to null for 0/2, nothing. I deleted the mapped ips and policies as well (need to do that to unset)
So I went in and reset the device, when you use the wizard, it will only let you use port 0/0 0/1 or 0/2 for the initial trust / untrust scenario.
Does anyone have a quick reference on how to switch the trust 0/0 to 0/9 and the untrust 0/2 to 0/8?
Thanks for any help.
Kacey
I tried to give port 0/9 or 0/8 a static IP and set the zone to untrust.. this did not work. I unset the IP for 0/2 (the original untrust) which did nothing. I changed the zone to null for 0/2, nothing. I deleted the mapped ips and policies as well (need to do that to unset)
So I went in and reset the device, when you use the wizard, it will only let you use port 0/0 0/1 or 0/2 for the initial trust / untrust scenario.
Does anyone have a quick reference on how to switch the trust 0/0 to 0/9 and the untrust 0/2 to 0/8?
Thanks for any help.
Kacey
You should have no issues adding interfaces to zones (i.e. changing the zone in the Interface setup). That the wizard does not allow to select the GB ports is, well, interesting, but no obstacle.
When you say "did not work", what do you mean exactly?
When you say "did not work", what do you mean exactly?
ASKER
I did a factory reset. I got the Internet working on port e0/2. Then I setup a second public IP on e0/8 and set the zone to untrust.
Unplugged the cable from 02 and plugged it into 08, Internet did not work.
No policies were configured.
Unplugged the cable from 02 and plugged it into 08, Internet did not work.
No policies were configured.
Default policy is "deny-all", so this cannot be correct. You need at least one policy Trust to Untrust to allow traffic.
ASKER
right.. That was the only one. Sorry figured it was useless info since I said I was on Internet.. my bad.
First things to check are:
a) is eth0/8 working? Speed etc. detected correct?
b) enable traffic logging (at session beginning) in the policy, create some traffic, and then look into the log of that policy to check if it has been applied, and NAT works - you should see the public IPs in the "translated" columns).
Also check if eth0/8 is in the correct interface mode (Route, not NAT). The Trust interface needs to be in NAT mode. (To be precise, it should not matter for Trust <-> Untrust, as implicit NAT rules apply, but better to be sure).
a) is eth0/8 working? Speed etc. detected correct?
b) enable traffic logging (at session beginning) in the policy, create some traffic, and then look into the log of that policy to check if it has been applied, and NAT works - you should see the public IPs in the "translated" columns).
Also check if eth0/8 is in the correct interface mode (Route, not NAT). The Trust interface needs to be in NAT mode. (To be precise, it should not matter for Trust <-> Untrust, as implicit NAT rules apply, but better to be sure).
ASKER
Going in tomorrow at 11am to try and get this working again. Thanks for the info. Will update as I have info.
ASKER
Thank you Qlemo for pointing me in the correct direction.
1. The end result was to download the config I already had.
2. Edit the config and change anything that said e0\0 and make it e0\8 and anything that said e0\2 and make it e0\9.
3. Change the upload ports on the vpn in the config file to e0\9
3. replace the config hit apply.
All came back up within two minutes and worked perfectly. I left the old cables and new cables in the ports, 4 total.. while I did this. I noticed on the new Juniper firewalls that if the cable is not connected to the router, then the config does not take sometimes.
Credit Sanga Collins, another expert for this idea. I have another question regarding this.
My best-
Kacey
www.interlink.nyc
1. The end result was to download the config I already had.
2. Edit the config and change anything that said e0\0 and make it e0\8 and anything that said e0\2 and make it e0\9.
3. Change the upload ports on the vpn in the config file to e0\9
3. replace the config hit apply.
All came back up within two minutes and worked perfectly. I left the old cables and new cables in the ports, 4 total.. while I did this. I noticed on the new Juniper firewalls that if the cable is not connected to the router, then the config does not take sometimes.
Credit Sanga Collins, another expert for this idea. I have another question regarding this.
My best-
Kacey
www.interlink.nyc
I'm dejected that I didn't come up with that simple search-and-replace approach :/. That's the reason I was only monitoring the other question ;-).
bandwidth: physical 100000kbps, configured egress [gbw 0kbps mbw 0kbps]
tells that you have a 100MBit/s interface, which is quite normal for a SSG 140 - it doesn't have in-built GBit ports. But you should still get more than 50MBit/s then.
The Trust interface is a different one, I suppose? That will again be restricted to 100MBit.