Help with NS-5GT Config



  • We have a 5GT Co-located at a hosting co.

    Intermittently we have connectivity problems.
    Sometimes all hosts/IP’s in our subnet are unavailable, sometimes all respond OK, sometimes only one or two IP’s seems unavailiable.

    The hosing company say the problem is being caused by the 5GT issuing a command that causes their switch/router to flush
    out its arp table (they have some form of VLAN setup).

    Are they ‘passing the buck’ for thier own problem, or is there something wrong with our config?

    Any advice most welcome – thanks 🐵

    Ralph Taylor

    Get sys:-
    Software Version: 5.2.0r3.0, Type: Firewall+VPN
    Total Device Resets: 0
    Box in trust-untrust mode
    System in transparent mode.

    Config follows:-
    set clock timezone 0
    set vrouter trust-vr sharable
    set vrouter "untrust-vr"
    exit
    set vrouter "trust-vr"
    unset auto-route-export
    exit
    set service “RemoteDesktop” protocol tcp src-port 1-65535 dst-port 3389-3389
    set auth-server “Local” id 0
    set auth-server “Local” server-name "Local"
    set auth default auth server "Local"
    set auth radius accounting port 1646
    set admin name "root"
    set admin ssh port 1233
    set admin http redirect
    set admin auth timeout 20
    set admin auth server "Local"
    set admin privilege read-write
    set admin format dos
    set zone “Trust” vrouter "trust-vr"
    set zone “Untrust” vrouter "trust-vr"
    set zone “VLAN” vrouter "trust-vr"
    set zone “Trust” tcp-rst
    set zone “Untrust” block
    unset zone “Untrust” tcp-rst
    set zone “MGT” block
    set zone “VLAN” block
    set zone “VLAN” tcp-rst
    unset zone “Untrust” screen tear-drop
    unset zone “Untrust” screen syn-flood
    unset zone “Untrust” screen ping-death
    unset zone “Untrust” screen ip-filter-src
    unset zone “Untrust” screen land
    set zone “V1-Untrust” screen icmp-flood
    set zone “V1-Untrust” screen udp-flood
    set zone “V1-Untrust” screen tear-drop
    set zone “V1-Untrust” screen syn-flood
    set zone “V1-Untrust” screen ping-death
    set zone “V1-Untrust” screen ip-filter-src
    unset zone “V1-Untrust” screen land
    set zone “V1-Untrust” screen syn-ack-ack-proxy
    set zone “V1-Untrust” screen syn-flood drop-unknown-mac
    set interface “trust” zone "V1-Trust"
    set interface “untrust” zone "V1-Untrust"
    set interface vlan1 ip 111.111.111.111/28
    set interface trust mtu 1500
    set interface untrust mtu 1500
    set interface vlan1 vlan trunk
    unset interface vlan1 bypass-others-ipsec
    unset interface vlan1 bypass-non-ip
    set interface vlan1 ip manageable
    set interface vlan1 manage ident-reset
    set zone V1-Trust manage ident-reset
    set interface v1-trust manage mtrace
    set zone V1-Untrust manage ping
    set zone V1-Untrust manage ssh
    set zone V1-Untrust manage telnet
    set zone V1-Untrust manage snmp
    set zone V1-Untrust manage ssl
    set zone V1-Untrust manage web
    set zone V1-Untrust manage ident-reset
    set interface v1-untrust manage mtrace
    set interface “vlan1” webauth ssl-only
    set interface “vlan1” webauth-ip 111.111.111.112
    set zone “V1-Trust” webauth
    set zone “V1-Untrust” webauth
    unset flow tcp-mss
    unset flow tcp-syn-check
    set flow syn-proxy syn-cookie
    set domain bla.com
    set hostname firewall
    set webauth banner success "You are logged on"
    set user-group “remote” id 1
    set user-group “remote” user "amir"
    set user-group “remote” user "graham"
    set user-group “remote” user "ralph"
    set user-group “sysadmin” id 2
    set user-group “sysadmin” user "ralph"
    set ike p1-proposal “pre-g5-aes256-sha” preshare group5 esp aes256 sha-1 hour 8
    set ike p2-proposal “g5-esp-aes256-sha” group5 esp aes256 sha-1 hour 8
    set ike respond-bad-spi 1
    set pki authority default scep mode "auto"
    set pki x509 default cert-path partial
    set url protocol sc-cpa
    exit
    set policy id 15 from “V1-Trust” to “V1-Untrust”  “Any” “Any” “PING” permit
    set policy id 15 disable
    set policy id 15
    exit
    set policy id 17 from “V1-Trust” to “V1-Untrust”  “Any” “Any” “FTP” permit
    set policy id 17 disable
    set policy id 17
    exit
    set policy id 8 from “V1-Untrust” to “V1-Trust”  “Any” “Any” “HTTP” permit
    set policy id 8
    set service "HTTPS"
    exit
    set policy id 22 from “V1-Untrust” to “V1-Trust”  “Any” “Any” “MT_WEBMAIL_82” permit
    set policy id 22 disable
    set policy id 22
    exit
    set policy id 23 name “Temp Testing” from “V1-Untrust” to “V1-Trust”  “Any” “Any” “PING” permit
    set policy id 23
    exit
    set policy id 12 from “V1-Untrust” to “V1-Trust”  “Any” “Any” “MT_TOMCAT” permit
    set policy id 12
    exit
    set policy id 14 from “V1-Untrust” to “V1-Trust”  “Any” “Any” “MT_TOMCATS” permit
    set policy id 14
    exit
    set policy id 18 from “V1-Untrust” to “V1-Trust”  “Any” “Any” “SMTP” permit
    set policy id 18
    exit
    set policy id 24 from “V1-Trust” to “V1-Untrust”  “Any” “Any” “ANY” permit
    set policy id 24
    exit
    set policy id 9 name “Mail” from “V1-Untrust” to “V1-Trust”  “Any” “Any” “POP3” permit
    set policy id 9
    exit
    set policy id 11 from “V1-Untrust” to “V1-Trust”  “Any” “Any” “MT_POP3S” permit
    set policy id 11
    exit
    set policy id 13 from “V1-Untrust” to “V1-Trust”  “Any” “Any” “MT_SSH” permit
    set policy id 13
    exit
    set policy id 21 name “Temp just in case” from “V1-Untrust” to “V1-Trust”  “Any” “Any” “SSH” permit
    set policy id 21 disable
    set policy id 21
    exit
    set policy id 10 from “V1-Untrust” to “V1-Trust”  “Any” “Any” “DNS” permit
    set policy id 10
    exit
    set policy id 20 from “V1-Untrust” to “V1-Trust”  “Any” “Any” “MT_SYBASE” permit webauth user-group "remote"
    set policy id 20
    exit
    set policy id 19 from “V1-Untrust” to “V1-Trust”  “Any” “Any” “FTP” permit webauth user-group "remote"
    set policy id 19
    exit
    set policy id 25 from “V1-Untrust” to “V1-Trust”  “Any” “Any” “ANY” deny
    set policy id 25
    exit
    set global-pro policy-manager primary outgoing-interface untrust
    set global-pro policy-manager secondary outgoing-interface untrust
    set nsmgmt bulkcli reboot-timeout 60
    set ssh version v2
    set ssh enable
    set config lock timeout 5
    set ntp server "0.0.0.0"
    set ntp server backup1 "0.0.0.0"
    set ntp server backup2 "0.0.0.0"
    set modem speed 115200
    set modem retry 3
    set modem interval 10
    set modem idle-time 10
    set snmp port listen 161
    set snmp port trap 162
    set vrouter "untrust-vr"
    exit
    set vrouter "trust-vr"
    unset add-default-route
    set route  0.0.0.0/0 interface vlan1 gateway 222.222.222.222
    exit
    set vrouter "untrust-vr"
    exit
    set vrouter "trust-vr"
    exit
    –end–



  • @MaxPipeline:

    I think this is likely a switch problem. We don’t send anything short of a gratuitous ARP which could cause a switch to flush its ARP entry. If that is the case then using ‘set arp always-on-dest’ is probably a good idea until the hosting company can figure out what is going on with their switch.

    OK I will do that!
    When I pluck up the courage to put the 5GT back in the loop  🙂
    -thanks Max



  • @screenie.:

    Max,

    what if layer 2 sessions mismatch, to many errors on port and …
    Long shot, but maybe it’s a 3com switch. Ive seen many problem with that vendor.

    Hinuma: To rule this out: set portsettings fixed and see what’s happing.

    Sorry, do you mean set the ethernet ports speed/duplex/auto settings?

    Because connectivity to some hosts is perfect and others, not even a ping arrives at the Untrusted i/f
    it seems not to be a ‘transport layer’ problem.

    They say the switch/vlan device was ‘Extreme Networks’

    -Thanks again



  • I think this is likely a switch problem. We don’t send anything short of a gratuitous ARP which could cause a switch to flush its ARP entry. If that is the case then using ‘set arp always-on-dest’ is probably a good idea until the hosting company can figure out what is going on with their switch.



  • @MaxPipeline:

    I can’t think of anything off the top of my head which can cause a 5GT to flush the MAC table of a third-party switch. About the only thing I can think of is a gratuitous ARP which doesn’t seem to apply in your case (applies with NSRP configuration). Did your hosting company say what exactly was causing their switch to clear out the MAC table? I would get much more detail from them and then possibly contact JTAC to assist.

    Thanks for your thoughts-
    The hosting co. said their switch was cofigured to update its arp table for our subnet every 60 min, but some mac’s were
    getting flushed out - say after 20min - so we lost connectivity to that host for 40min, untill the switch re-built its arp table.

    They say they are hosting many other netscreen devices with no problem!

    I will ask what command/state/protocol deletes an entry on their switch (if they know).
    Regards
    -hinuma


  • Global Moderator

    Max,

    what if layer 2 sessions mismatch, to many errors on port and …
    Long shot, but maybe it’s a 3com switch. Ive seen many problem with that vendor.

    Hinuma: To rule this out: set portsettings fixed and see what’s happing.



  • I can’t think of anything off the top of my head which can cause a 5GT to flush the MAC table of a third-party switch. About the only thing I can think of is a gratuitous ARP which doesn’t seem to apply in your case (applies with NSRP configuration). Did your hosting company say what exactly was causing their switch to clear out the MAC table? I would get much more detail from them and then possibly contact JTAC to assist.



  • @screenie.:

    When clear arp is the solution isn’t the problem :

    • Identical IP’s on the network
    • Layer 2 loop
    • Misconfigured STP

    ?

    I’would search here, not in the firewall as a starter. Maybe set arp allways-on-dest works as a work-around, but not as a fix I think.

    Thanks for the advice screenie.
    Taking the 5GT out and replacing with a switch, solves the problem.
    So it is something to do with the interaction between the two layer 2 devices.

    • hinuma

  • Global Moderator

    When clear arp is the solution isn’t the problem :

    • Identical IP’s on the network
    • Layer 2 loop
    • Misconfigured STP

    ?

    I’would search here, not in the firewall as a starter. Maybe set arp allways-on-dest works as a work-around, but not as a fix I think.


 

28
Online

38.4k
Users

12.7k
Topics

44.5k
Posts