Connectivity issues



  • HI all

    I am new to Juniper screenOS even thoe Junos is the new OS I am having issues with an SSG.
    I the server can not communcate so i done a get seesion. my question is can some one tell me what the output is telling me.

    get session src-ip 10.96.128.71
    alloc 69/max 48064, alloc failed 0, mcast alloc 0, di alloc failed 0
    total reserved 0, free sessions in shared pool 47995
    Total 12 sessions according filtering criteria.
    id 47465/s**,vsys 0,flag 00000040/4000/0001,policy 272,time 3, dip 0 module 0
    if 8(nspflag 800805):10.96.128.71/54157->172.17.252.168/53,17,002655e47b5c,sess token 41,vlan 707,tun 0,vsd 0,route 17
    if 13(nspflag 0804):10.96.128.71/54157<-172.17.252.168/53,17,000000000000,sess token 42,vlan 810,tun 0,vsd 0,route 89
    id 47471/s**,vsys 0,flag 00000040/4000/0001,policy 272,time 6, dip 0 module 0
    if 8(nspflag 800805):10.96.128.71/64261->172.17.248.134/53,17,002655e47b5c,sess token 41,vlan 707,tun 0,vsd 0,route 17
    if 13(nspflag 0804):10.96.128.71/64261<-172.17.248.134/53,17,000000000000,sess token 42,vlan 810,tun 0,vsd 0,route 90
    id 47552/s**,vsys 0,flag 00000040/4000/0001,policy 272,time 2, dip 0 module 0
    if 8(nspflag 800805):10.96.128.71/53047->172.17.248.134/53,17,002655e47b5c,sess token 41,vlan 707,tun 0,vsd 0,route 17
    if 13(nspflag 0804):10.96.128.71/53047<-172.17.248.134/53,

    Regards
    Zarcoff



  • Hi Marty

    were using vrf light…

    which part of the config will be off use to you as there are a lot of IP address.
    I dont mean to be difficult.

    thanks
    zarcoff



  • Ok if you want you can strike off the IP’s from the config and then paste the same.
    By VRF do you mean MPLS VRF ?

    As you mentioned both the sub-interfaces are in the same trust zone then just a policy would do if intrazone blocking is enabled, if intrazone blocking is not enabled then not even a policy would be required.



  • hi

    can’t post the config for security reasons but your help would still be appreciated.

    i have two trust zones sub-interfaces. one interface goes to a layer 2 switch with two servers.
    the other interface connected too a vrf then a layer 2 switch with two domain servers sending out 224.0.0.022 membership.

    the sub-interface connected to the vrf is not getting to the firewall.

    firewall and vrf and switch configuration advise would be appreciated.



  • You woudl have to bit more detailed on you set-up.

    get conf command would be explain the set-up in detail.

    if you got the two servers and your DC’s hanging of different interfaces and zones respectively you would have to open up policies accordingly on your firewall.



  • Hi

    yes i understand. i have two servers haning of a SSG devices trying to connect to two domain controlers.
    the DC  are sending igmpv3  to join this i can see in wireshark. how do configure netscreen security devices for this.

    the DC are behind some routers and layer 2 devices.

    great thanks
    zarcoff



  • The get session output is just showing that from your source 10.96.128.71 it is trying to communicate to the respective destination 172.17.248.143 on port 53 using UDP protocol 17 which is the DNS traffic.

    Sent from my iPad using Tapatalk


 

28
Online

38.4k
Users

12.7k
Topics

44.5k
Posts