[j-nsp] SSG Dialup VPN stability problems

2010-05-30 Thread Jimmy Stewpot 
Hello,

I am currently investigating some on-going stability problems with 
client-to-site vpn connections on a SSG140. Unfortunately I've been unable to 
find any detailed diagnostics steps to take when troubleshooting this type of 
issue. The site previously used a Cisco ASA and have since moved to Juniper's 
we are running 6.2.0r2 as the software version with client to site using a 
tunnel interface. 

The config as stated :
===SNIP===
set ike gateway "Remote_Dialup_VPN" dialup "Dialup_VPN_Group" Aggr 
outgoing-interface "ethernet0/3" preshare "" proposal 
"pre-g2-3des-md5" "pre-g2-3des-sha" "pre-g2-aes128-md5" "pre-g2-aes128-sha"
set ike gateway "Remote_Dialup_VPN" dpd-liveness interval 20
set ike gateway "Remote_Dialup_VPN" dpd-liveness always-send
unset ike gateway "Remote_Dialup_VPN" nat-traversal udp-checksum
set ike gateway "Remote_Dialup_VPN" nat-traversal keepalive-frequency 20
set ike gateway "Remote_Dialup_VPN" xauth server "AD_Radius" user-group 
"VPN.Users"
unset ike gateway "Remote_Dialup_VPN" xauth do-edipi-auth
set vpn "Remote_Dialup_VPN" gateway "Remote_Dialup_VPN" replay tunnel idletime 
0 proposal "nopfs-esp-3des-sha"  "nopfs-esp-3des-md5"  "nopfs-esp-des-sha"  
"nopfs-esp-des-md5" 
set vpn "Remote_Dialup_VPN" id 0x6 bind interface tunnel.3
set vpn "Remote_Dialup_VPN" dscp-mark 0
set vpn "Remote_Dialup_VPN" proxy-id local-ip 192.168.0.0/16 remote-ip 
255.255.255.255/32 "ANY" 
set address "VPN" "Dialup_IPPool" 10.10.40.0 255.255.255.0
set ippool "IPPool" 10.10.40.2 10.10.40.254


&&

set interface "tunnel.3" zone "VPN"
set interface tunnel.3 ip unnumbered interface ethernet0/3
set vpn "Remote_Dialup_VPN" id 0x6 bind interface tunnel.3
set vpn "Remote_VPN_to_DMZ" id 0x9 bind interface tunnel.3
set route 10.10.40.0/24 interface tunnel.3 permanent

&&


set auth-server "AD_Radius" account-type l2tp xauth 
set user-group "VPN.Users" type l2tp xauth 
set ike gateway "Remote_Dialup_VPN" xauth server "AD_Radius" user-group 
"VPN.Users"
unset ike gateway "Remote_Dialup_VPN" xauth do-edipi-auth
set xauth lifetime 30
set xauth default ippool "IPPool"
set xauth default dns1 192.168.10.1
set xauth default dns2 192.168.10.2
set xauth default wins1 192.168.10.1
set xauth default wins2 192.168.10.2
set xauth default auth server "AD_Radius"
set xauth default accounting server "AD_Radius"

===SNIP===

Now the problem we have is that very often systems can't remain connected for 
more than a few seconds while other users can be stable as a rock. This is 
despite both systems having identical configurations with either the Shrew 
client or the Juniper VPN client. One thing that I do see is a huge number of 
replay packets detected in the error logs, Does that have something to do with 
it? Moving forward has anyone experienced similar problems in the past and what 
did they do to resolve them? I have been unable to identify any single problem 
as every time I connect I am able to stay online for days without being 
disconnected?.

Any feedback would be really appreciated.

Regards,

Jimmy Stwepot.
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] Windows XP L2TP/IPSEC vpn without certificates

2010-04-12 Thread Jimmy Stewpot 
Hello,

I am looking around at getting the native client within XP, Vista and Windows 7 
to work when connecting to a Juniper SSG 140. Currently all the documentation 
and examples that I have found on the Internet seem to suggest that it only 
works with certificates. Is there a good how to guide which tells me how to 
configure L2TP without certificates specifically I would love to be able to use 
Radius/user password authentication for the vpn.

Regards,

Jimmy Stewpot.

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] SSG 140 WebVPN

2010-04-11 Thread Jimmy Stewpot 
Hello,

I have attempted to setup a WebVPN (SSL VPN) on the SSG that we have. 
Unfortunately it appears as though we can only set it up on an external VIP? Is 
that correct?

We only get assigned a single external address so we can't use a different IP. 
Is there a way to allow us to have WebVPN on the standard external Public IP?

Regards,

Jimmy Stewpot.
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] SSG 140 Software

2010-03-30 Thread Jimmy Stewpot 
Hi All,

I am interested to know if anyone can provide me with what the latest version 
of software is for the SSG140?

Regards,

Jimmy.
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] JunOS temperature readings

2010-03-25 Thread Jimmy Stewpot 
Hello,

I am currently looking into an issue where we are getting temperature alerts on 
a variety of different JunOS devices within one of our facilities. 
Unfortunately when I go to track down the changes all the switches are running 
at under 40c which is within the thresholds yet we still get alerts. 

jstew...@junos Switch> show chassis temperature-thresholds 
   Fan speedYellow alarm Red alarm
Item Normal   HighNormal   Bad fanNormal   Bad fan
FPC 0 CPU60 7080709585
FPC 0 EX-PFE160 7080709585
FPC 0 EX-PFE260 7080709585
FPC 0 EX-PFE360 7080709585
FPC 0 GEPHY Front Left   60 7080709585
FPC 0 GEPHY Front Middle 60 7080709585
FPC 0 GEPHY Front Right  60 7080709585
FPC 0 Uplink Conn60 7080709585

{master:0}
jstew...@junos Switch> show chassis environment 
Class Item   Status Measurement
Power FPC 0 Power Supply 0   OK
  FPC 0 Power Supply 1   OK
Temp  FPC 0 CPU  OK 38 degrees C / 100 degrees F
  FPC 0 EX-PFE1  OK 39 degrees C / 102 degrees F
  FPC 0 EX-PFE2  OK 50 degrees C / 122 degrees F
  FPC 0 EX-PFE3  OK 45 degrees C / 113 degrees F
  FPC 0 GEPHY Front Left OK 20 degrees C / 68 degrees F
  FPC 0 GEPHY Front Middle   OK 27 degrees C / 80 degrees F
  FPC 0 GEPHY Front RightOK 29 degrees C / 84 degrees F
  FPC 0 Uplink Conn  OK 28 degrees C / 82 degrees F
Fans  FPC 0 Fan 1OK Spinning at normal speed
  FPC 0 Fan 2OK Spinning at normal speed
  FPC 0 Fan 3OK Spinning at normal speed

{master:0}

jstew...@junos Switch> show chassis alarms 
No alarms currently active

I am interested to know if anyone has anything similar? Also is it possible to 
set the thresholds?

Regards,

Jimmy Stewpot
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] Diagnosing Policy Discards

2010-02-03 Thread Jimmy Stewpot 
Hello,

I am working on an issue where we have some Policy Discards on an interface. I 
understand that Policy Discards are essentially anything that the Juniper does 
not understand. I guess this means things like HSRP etc. What I am interested 
to know is there a method to break down what those policy discards are? For 
example see a log of the packet type/protocol type etc?

Here is the output of the JunOS commands with a 1 second interval


show interfaces ge-3/3/0 extensive | match Policed
Errors: 21, Drops: 0, Framing errors: 0, Runts: 0, Policed discards: 
73485969, L3 incompletes: 21, L2 channel errors: 0,

show interfaces ge-3/3/0 extensive | match Policed
Errors: 21, Drops: 0, Framing errors: 0, Runts: 0, Policed discards: 
73485982, L3 incompletes: 21, L2 channel errors: 0,

show interfaces ge-3/3/0 extensive | match Policed
Errors: 21, Drops: 0, Framing errors: 0, Runts: 0, Policed discards: 
73485998, L3 incompletes: 21, L2 channel errors: 0,

I understand that its not fatal however its causing some monitoring 
abnormalities which we would like to get to the bottom of to clarify that there 
is nothing misconfigured etc on the network.

Any additional feedback would be much appreciated.

Regards,

Jimmy Stewpot.
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp