SSG140 untrust Problem

  • Hello all
    i need help about a specific problem. I have no more ideas

    I have a netscreen 25, all working good with it. 1 interface for the lan, another one for a dmz , and one for untrust (connected to internet)

    in order to connect several extra zone , i had changed my NS25 with a SSG140. but there is a problem with untrust interface( connected to internet + VPN tunnel (route based))

    After a time (between several minutes and several hours - it’s very large :() of good functionment, it was not possible to communicate with the untrust interface/zone. I can’t ping the public ip of the SSG140 but i can ping the public router. All other interfaces (LAN-DMZ…) are working well when the problem occurs

    The only solution is to switch off/swicth on the firewall. It’s the same configuration on the NS25 and there is no problem with the ns25

    Do you have an idea about the problem ?

    best regards

  • my problem is solved. Speed and duplex fixed on both side. Thanks all for your help.
    But i don"t understand why it was running with a NS25 and not with SSG140 (without fixed anything)

  • i will try this…

  • i think the problem is resolved. On the ISP router, speed and duplex was 100/full. On the Firewall it was auto nego. But the mode detected was 100/half
    So i have fixed 100/full on the firewall and tomorrow morning ,if no problem will appear again, problem will be closed.

    Thanks for your help

  • i have a similar problem, i’ve opened a case at juniper support.

    ping from trust (trust-vr) to device in DMZ (trust-vr) is still posible
    ping from trust (trust-vr) to device in untrust (untrust-vr) is not possible
    after a power cycle / or a reset from a ssh/telnet session the device works again

    This has happened 5 to 10 times a day during office hours, but NEVER at night, so i suspect some dirty app to be the cause.
    I am using Nagios to ping the modem, it emails me when “internet” is unreachable

    we are currently waiting for it to happen again, to do some debugging.
    ping is running from
      server alcazar (dmz)
      server sponsz (trust)
    to our modem in the untrust zone, replies are received.

    opend a ssh (puty with logging enabled) session to the firewall
    set console page 0  ## this sets output to continuous
    set ff src-ip ip adress of modem
    set ff dst-ip ip adress of modem ## when logging, only log traffic meeting these conditions
    get ff  ## shows flow filters
    cl db   ## clear the debug database
    debug flow basic    ## capture debugging information
    wait a few seconds
    undebug all  ## stop capturing this data
    get db str  ## flood your screen with the debug data

    I ran these commands when the ssg is functioning properly, I am waiting to run these again when the problem occurs.
    I had the filters set up wrongly, so i only noticed outgoing ping was processed normally (that does not mean it was received by the modem, i did not check that)

    one of the things i did to resolve the problem was upgrade the screenos from 5.4.0r3a to 5.4.0r8 (5.4.0 is recommended, not 6.0) however, this did not help

    i found a debug  pdf at

  • I would still hard code both sides of the connection to 100mb/Full and replace the cable with a good quality fully pinned crossover cable.  My guess is the ARP entry in the firewall  for the router is not in the firewall.  You could hard code the MAC address of the Router in the firewall to test that.


  • both side are auto. i don"t know why it’s working for 1 hours for example and then untrust no answer (ping on the router from internet is ok). the only way to solve for now is to reboot the firewall

  • If it is setting the connection at 100mbs/half on auto, the other side is most likely hard coded to 100mbs/full.  I would hard code your side to 100mbs/full, of course that could cause you to lose connectivity.


  • i’m using a /29 subnet. it’s a cisco 1700 series. problem is it’s an ISP router. i’m not on the site , and i had to say people on site what to do 🙂
    I see on the firewall , the link between the 2 equipments is 100/half (i think auto negocation)

  • Did the router have the ARP entry for the firewall ip? (I am assuming you are using a /30).  Did the firewall have the arp entry for the router?  What kind of router?  What is the interface set at speed and duplex?  I would try a crossover cable between the router and the firewall and hard code the speed and duplex on both devices.


  • i have use this command set arp always-on-dest. same problem
    The router and the firewall (connected with a straight cable) can not ping eachother.
    clear arp / clear mac –> no change , no ping possible (only the router ping)

  • Version is 6.0.0.r3

    Are you using UTM servcies? yes
    set arp always-on-dest –> i will check if i have this command.
    The problem is i’m on the admin site, and when i lost the communication with the ssg140, i can’t check anything.

    thanks for your answer i’ll keep you inform

  • Sounds like an ARP issue to me, if you can connect on the trust interface do the following.

    get arp

    See if the untrust gateway has an arp entry in the firewall.

    Try a clear ARP and Clear mac on the firewall

    Look on the Public router and be sure there is a ARP entry for the untrust interface.

    Make sure that all interfaces are set to the correct speed/duplex, I assume you are using 100mbs, I woul hard code all interfaces to 100mbs/full duplex (unless you are using gig, then I recomend AUTO).  I would also make sure you have the command

    set arp always-on-dest

    What version of code are you running?


  • Global Moderator

    What’s your software version? Are you using UTM servcies?