While I am in agreement with you that it would be considered best practice in the majority of cases to specify the ffilter first, I didn't think he'd have to worry too much in this case as the traffic was only coming from a single Dial-Up VPN host... Still playing Devil's advocate is probably wise because I am sure there are a few corner cases where he could end up borking up the box.
On 10/6/08, Mark Kamichoff <[EMAIL PROTECTED]> wrote: > On Mon, Oct 06, 2008 at 01:23:02PM -0400, Stefan Fouant wrote: >> Can you issue the following: >> >> debug flow basic >> set ffilter ip 10.1.2.6 >> clear dbuf >> clear sessions > > Be careful when issuing commands in the order listed above - you can > easily brick your device if the session rampup rate is high, as the > firewall will essentially generate debugging data for all connections. > I suggest issuing the "set ffilter ip 10.1.2.6" before any debug > commands, then following up with an "undebug all" after you have > reproduced the issue: > > ssg550-> set ffilter src-ip 10.1.2.6 > ssg550-> set ffilter dst-ip 10.1.2.6 > ssg550-> clear db > ssg550-> debug flow basic > > < reproduce the issue > > > ssg550-> undebug all > ssg550-> get db str > > Additionally, what version of ScreenOS are you running? There was a > strange policy evaluation/compilation issue I ran into earlier this year > that sporadically prevented certain policies from being hit (PR #308459, > iirc). According to JTAC, it is fixed in >= 6.0.0r6.0 - so if you have > support for the device, I'd suggest running at least this version of > ScreenOS, just to be safe. > > - Mark > > -- > Mark Kamichoff > [EMAIL PROTECTED] > http://www.prolixium.com/ > -- Sent from Gmail for mobile | mobile.google.com Stefan Fouant Principal Network Engineer NeuStar, Inc. - http://www.neustar.biz GPG Key ID: 0xB5E3803D _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp