Intra Zone Issue

  • Good Morning All,

    I am researching an issue with Intra Zone policy but so far I haven’t found a solution and looking for your assistance.

    I have a route on the SSG 140 to pass certain networks over the MPLS router.  I have configured a Trust to Trust policy (Allow ALL) and switched of Intra Block on the zone.

    But as soon as I try and print to a printer behind the MPLS it fails.  If I add a static route entry to my pc to affectivly bypass the firewall and send it direct to the MPLS router it works first time.

    The log shows:-

    2007-12-28 09:58:29 –  – – – MSRPC ENDPOINT MAPPER(TCP)  – 22 sec. 198 0 Close - AGE OUT.

    I have OS 6.0r3 and this issue only seemed to come about after I retrieved my subscript and addon such as DI were activated.  The are not in use within my policy.

    Any ideas would be appreciated as I am banging my head against a brick wall at the moment.


  • thank you screenie,

    I try open the post.

  • Global Moderator

    Hi jacky111,

    what do you mean by “waiting solution for fix it” ? It’s not a bug or something, it’s the way you set-up your routing! If you specify your problem I (and many other members) can advise you.

  • I also have this problem
    I using netscreen 25 and netscreen 5GT havent this problem
    It just ssg140 got this problem.
    waiting solution for fix it

  • Screenie,

    Thank you for all your assistance….


  • Global Moderator

    You can’t route the complete lan to the firewall, because the router allready has a directly connected network for this prefix. A directely connected route has a higher routing preference then a static route on all routers I know….
    You can off course add /32 routes for the hosts senning traffic over your MPLS. This is more specific then the /24 and this route should be taken.

    As to contributing to the forum: You allready are aren’t you, I think we have an interesting case here. Believe me when I say lot’s of people have Asym routing problems, they just don’t know it (:-

    What you could do more for the forum I doný know, I’m just an ordinary (junior) member. Ask signal15 hos an admin I believe.


  • Screenie,

    I have been giving this some thought and was considering adding a route to the MPLS router on the 192.168.10.x lan to pass data to the FW.

    I have had issues with Intra Zones before and generally cheated the stateful inspection issue by routing all traffic via the internal routers and then adding a DG to them as the FW…

    Given you experience what is the RFC or prefered method of deployment in thi envoirnment.  Issue like this never arose as previously deployed with a Watchguard FW which isn’t stateful aware…

    The Juniper is just too good…

    Your advise would be appreciated.


    Let me know how I can contribute to the forum…

    I have been working with Cisco, Checkpoint, Watchguard, Sonicwall and now Juniper…

    Plus lots of other security products.


  • Screenie,

    Thank you for your assitance.

    And a very Happy New Year to you…


  • Global Moderator

    Hi Stuart,

    You’re giving good info when explaining things. I’ve seen a lot worse on this forum and in my job.

    Let’s trace a session:

    PC is initiating, sending a syn to the printer
    It has no route to this destination so it sends it to it’s default gateway, the firewall.
    The firewall routes it back on same network to the MPLS router. ( ?)
    MPLS router routes it to the printer.


    Now the syn-ack comming back.

    printer routes to MPLS. MPLS sees destination is This, for the MPLS router is a directly connected network! No need to route it to the FW, so it sends it directly.


    and the FW is bypassed, doesn’t know the connection is ok!

    So how to solve?  Add a route on the PC for network with the MPLS router as a gateway, or leave things as you have now with unset flow tcp-syn-check.

    BTW had the FW been a router it would send a ICMP redirect to the PC with the message, “don’t use me, use my friend the MPLS router”.

    Succes, carefull with fireworks tonight! and a liltle premature maybe: Happy newyear!

  • Hi,

    Here is the current topology in txt format.

    Local pc host
    IP -
    DG -

    IP -
    Destination route - via GW routes traffic over mpls to

    Device on MPLS
    Printer -
    Has default route of MPLS router

    I have traced the data in both directions and it works.

    Do I need a source route?


  • Good Morning Screenie,

    Thank you for you reply it makes a lot of sense, I will check out the issue and hopefully track it down.

    Thanks Again.


  • Global Moderator

    Sorry about my many typos guys! I’ll try to read more before I press Post (:-

  • Global Moderator

    Hi Stuart,

    I think at some point your traffic is send directly to a device but returns over a router. You say that you enterd a route on a PC to the MPLS router, but is it returning traffic over the firewall maybe? It must something like this. From your logging I learned a thew things (yeah, a simple line of logging can tell a lot):

    1. The session was created, because the policy log was there.

    2. The reason for for ending the session was a time-out (that’s what age-out means.

    A session only will be create if the firewall knows how to route the traffic. That’s way I said the initial routing is ok.

    If a session is created and you don’t get a single character on tour printer in a tcp session it only can mean one thing: There’s a problem in the threeway handshake setup. So a syn get trough a syn-ack is “lost”.

    That’s where the unst flow tcp-syn-check come in. When set (and that’s default what it should be for good security it check wehter or not the syn-ack comes back from the same path (never checked it but I think based upon mac address) as the initial syn was send. When you have asymatric routing the syn-ack comes via another path and will be dropped by the firewall. This behaver you suppress with uns flow tcp-syn-check.

    So don’t look for a routing mistake in the firewall, look at oather device involved.

    To sove it just follow the routingtables and see where routing is direct where the return path send its to a upstream device.

    To check on the SSG:

    get route ip <dest ip="">get rout ip <source ip="">

    Good luck in hunting the problem!</dest>

  • Screenie.

    Thank you very much for your help…

    I ran the command and everything was operational.

    I have a destination route to pass the traffic to my MPLS cisco router.

    I am unclear what resturn route I require…  Is this route to pass the MPLS data back to the trust-vr?

    Let me know if I can help you with anything…


  • Global Moderator

    There’s a problem with your route back I think. Session is created so forward route prob. ok. Route back over a router instead of direct? If so fix that or use unset flow tcp-syn-check.