SSG140 untrust Problem
i need help about a specific problem. I have no more ideas
I have a netscreen 25, all working good with it. 1 interface for the lan, another one for a dmz , and one for untrust (connected to internet)
in order to connect several extra zone , i had changed my NS25 with a SSG140. but there is a problem with untrust interface( connected to internet + VPN tunnel (route based))
After a time (between several minutes and several hours - it’s very large :() of good functionment, it was not possible to communicate with the untrust interface/zone. I can’t ping the public ip of the SSG140 but i can ping the public router. All other interfaces (LAN-DMZ…) are working well when the problem occurs
The only solution is to switch off/swicth on the firewall. It’s the same configuration on the NS25 and there is no problem with the ns25
Do you have an idea about the problem ?
my problem is solved. Speed and duplex fixed on both side. Thanks all for your help.
But i don"t understand why it was running with a NS25 and not with SSG140 (without fixed anything)
burn last edited by
i will try this…
i think the problem is resolved. On the ISP router, speed and duplex was 100/full. On the Firewall it was auto nego. But the mode detected was 100/half
So i have fixed 100/full on the firewall and tomorrow morning ,if no problem will appear again, problem will be closed.
Thanks for your help
burn last edited by
i have a similar problem, i’ve opened a case at juniper support.
ping from trust (trust-vr) to device in DMZ (trust-vr) is still posible
ping from trust (trust-vr) to device in untrust (untrust-vr) is not possible
after a power cycle / or a reset from a ssh/telnet session the device works again
This has happened 5 to 10 times a day during office hours, but NEVER at night, so i suspect some dirty app to be the cause.
I am using Nagios to ping the modem, it emails me when “internet” is unreachable
we are currently waiting for it to happen again, to do some debugging.
ping is running from
server alcazar (dmz)
server sponsz (trust)
to our modem in the untrust zone, replies are received.
opend a ssh (puty with logging enabled) session to the firewall
set console page 0 ## this sets output to continuous
set ff src-ip ip adress of modem
set ff dst-ip ip adress of modem ## when logging, only log traffic meeting these conditions
get ff ## shows flow filters
cl db ## clear the debug database
debug flow basic ## capture debugging information
wait a few seconds
undebug all ## stop capturing this data
get db str ## flood your screen with the debug data
I ran these commands when the ssg is functioning properly, I am waiting to run these again when the problem occurs.
I had the filters set up wrongly, so i only noticed outgoing ping was processed normally (that does not mean it was received by the modem, i did not check that)
one of the things i did to resolve the problem was upgrade the screenos from 5.4.0r3a to 5.4.0r8 (5.4.0 is recommended, not 6.0) however, this did not help
i found a debug pdf at http://www.channelworx.com.au/support/documents/Resources/debug_functions.pdf
I would still hard code both sides of the connection to 100mb/Full and replace the cable with a good quality fully pinned crossover cable. My guess is the ARP entry in the firewall for the router is not in the firewall. You could hard code the MAC address of the Router in the firewall to test that.
both side are auto. i don"t know why it’s working for 1 hours for example and then untrust no answer (ping on the router from internet is ok). the only way to solve for now is to reboot the firewall
If it is setting the connection at 100mbs/half on auto, the other side is most likely hard coded to 100mbs/full. I would hard code your side to 100mbs/full, of course that could cause you to lose connectivity.
i’m using a /29 subnet. it’s a cisco 1700 series. problem is it’s an ISP router. i’m not on the site , and i had to say people on site what to do
I see on the firewall , the link between the 2 equipments is 100/half (i think auto negocation)
Did the router have the ARP entry for the firewall ip? (I am assuming you are using a /30). Did the firewall have the arp entry for the router? What kind of router? What is the interface set at speed and duplex? I would try a crossover cable between the router and the firewall and hard code the speed and duplex on both devices.
i have use this command set arp always-on-dest. same problem
The router and the firewall (connected with a straight cable) can not ping eachother.
clear arp / clear mac –> no change , no ping possible (only the router ping)
Version is 6.0.0.r3
Are you using UTM servcies? yes
set arp always-on-dest –> i will check if i have this command.
The problem is i’m on the admin site, and when i lost the communication with the ssg140, i can’t check anything.
thanks for your answer i’ll keep you inform
Sounds like an ARP issue to me, if you can connect on the trust interface do the following.
See if the untrust gateway has an arp entry in the firewall.
Try a clear ARP and Clear mac on the firewall
Look on the Public router and be sure there is a ARP entry for the untrust interface.
Make sure that all interfaces are set to the correct speed/duplex, I assume you are using 100mbs, I woul hard code all interfaces to 100mbs/full duplex (unless you are using gig, then I recomend AUTO). I would also make sure you have the command
set arp always-on-dest
What version of code are you running?
What’s your software version? Are you using UTM servcies?