[j-nsp] SSG Dialup VPN stability problems
Hello, I am currently investigating some on-going stability problems with client-to-site vpn connections on a SSG140. Unfortunately I've been unable to find any detailed diagnostics steps to take when troubleshooting this type of issue. The site previously used a Cisco ASA and have since moved to Juniper's we are running 6.2.0r2 as the software version with client to site using a tunnel interface. The config as stated : ===SNIP=== set ike gateway "Remote_Dialup_VPN" dialup "Dialup_VPN_Group" Aggr outgoing-interface "ethernet0/3" preshare "" proposal "pre-g2-3des-md5" "pre-g2-3des-sha" "pre-g2-aes128-md5" "pre-g2-aes128-sha" set ike gateway "Remote_Dialup_VPN" dpd-liveness interval 20 set ike gateway "Remote_Dialup_VPN" dpd-liveness always-send unset ike gateway "Remote_Dialup_VPN" nat-traversal udp-checksum set ike gateway "Remote_Dialup_VPN" nat-traversal keepalive-frequency 20 set ike gateway "Remote_Dialup_VPN" xauth server "AD_Radius" user-group "VPN.Users" unset ike gateway "Remote_Dialup_VPN" xauth do-edipi-auth set vpn "Remote_Dialup_VPN" gateway "Remote_Dialup_VPN" replay tunnel idletime 0 proposal "nopfs-esp-3des-sha" "nopfs-esp-3des-md5" "nopfs-esp-des-sha" "nopfs-esp-des-md5" set vpn "Remote_Dialup_VPN" id 0x6 bind interface tunnel.3 set vpn "Remote_Dialup_VPN" dscp-mark 0 set vpn "Remote_Dialup_VPN" proxy-id local-ip 192.168.0.0/16 remote-ip 255.255.255.255/32 "ANY" set address "VPN" "Dialup_IPPool" 10.10.40.0 255.255.255.0 set ippool "IPPool" 10.10.40.2 10.10.40.254 && set interface "tunnel.3" zone "VPN" set interface tunnel.3 ip unnumbered interface ethernet0/3 set vpn "Remote_Dialup_VPN" id 0x6 bind interface tunnel.3 set vpn "Remote_VPN_to_DMZ" id 0x9 bind interface tunnel.3 set route 10.10.40.0/24 interface tunnel.3 permanent && set auth-server "AD_Radius" account-type l2tp xauth set user-group "VPN.Users" type l2tp xauth set ike gateway "Remote_Dialup_VPN" xauth server "AD_Radius" user-group "VPN.Users" unset ike gateway "Remote_Dialup_VPN" xauth do-edipi-auth set xauth lifetime 30 set xauth default ippool "IPPool" set xauth default dns1 192.168.10.1 set xauth default dns2 192.168.10.2 set xauth default wins1 192.168.10.1 set xauth default wins2 192.168.10.2 set xauth default auth server "AD_Radius" set xauth default accounting server "AD_Radius" ===SNIP=== Now the problem we have is that very often systems can't remain connected for more than a few seconds while other users can be stable as a rock. This is despite both systems having identical configurations with either the Shrew client or the Juniper VPN client. One thing that I do see is a huge number of replay packets detected in the error logs, Does that have something to do with it? Moving forward has anyone experienced similar problems in the past and what did they do to resolve them? I have been unable to identify any single problem as every time I connect I am able to stay online for days without being disconnected?. Any feedback would be really appreciated. Regards, Jimmy Stwepot. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Windows XP L2TP/IPSEC vpn without certificates
Hello, I am looking around at getting the native client within XP, Vista and Windows 7 to work when connecting to a Juniper SSG 140. Currently all the documentation and examples that I have found on the Internet seem to suggest that it only works with certificates. Is there a good how to guide which tells me how to configure L2TP without certificates specifically I would love to be able to use Radius/user password authentication for the vpn. Regards, Jimmy Stewpot. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] SSG 140 WebVPN
Hello, I have attempted to setup a WebVPN (SSL VPN) on the SSG that we have. Unfortunately it appears as though we can only set it up on an external VIP? Is that correct? We only get assigned a single external address so we can't use a different IP. Is there a way to allow us to have WebVPN on the standard external Public IP? Regards, Jimmy Stewpot. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] SSG 140 Software
Hi All, I am interested to know if anyone can provide me with what the latest version of software is for the SSG140? Regards, Jimmy. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] JunOS temperature readings
Hello, I am currently looking into an issue where we are getting temperature alerts on a variety of different JunOS devices within one of our facilities. Unfortunately when I go to track down the changes all the switches are running at under 40c which is within the thresholds yet we still get alerts. jstew...@junos Switch> show chassis temperature-thresholds Fan speedYellow alarm Red alarm Item Normal HighNormal Bad fanNormal Bad fan FPC 0 CPU60 7080709585 FPC 0 EX-PFE160 7080709585 FPC 0 EX-PFE260 7080709585 FPC 0 EX-PFE360 7080709585 FPC 0 GEPHY Front Left 60 7080709585 FPC 0 GEPHY Front Middle 60 7080709585 FPC 0 GEPHY Front Right 60 7080709585 FPC 0 Uplink Conn60 7080709585 {master:0} jstew...@junos Switch> show chassis environment Class Item Status Measurement Power FPC 0 Power Supply 0 OK FPC 0 Power Supply 1 OK Temp FPC 0 CPU OK 38 degrees C / 100 degrees F FPC 0 EX-PFE1 OK 39 degrees C / 102 degrees F FPC 0 EX-PFE2 OK 50 degrees C / 122 degrees F FPC 0 EX-PFE3 OK 45 degrees C / 113 degrees F FPC 0 GEPHY Front Left OK 20 degrees C / 68 degrees F FPC 0 GEPHY Front Middle OK 27 degrees C / 80 degrees F FPC 0 GEPHY Front RightOK 29 degrees C / 84 degrees F FPC 0 Uplink Conn OK 28 degrees C / 82 degrees F Fans FPC 0 Fan 1OK Spinning at normal speed FPC 0 Fan 2OK Spinning at normal speed FPC 0 Fan 3OK Spinning at normal speed {master:0} jstew...@junos Switch> show chassis alarms No alarms currently active I am interested to know if anyone has anything similar? Also is it possible to set the thresholds? Regards, Jimmy Stewpot ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Diagnosing Policy Discards
Hello, I am working on an issue where we have some Policy Discards on an interface. I understand that Policy Discards are essentially anything that the Juniper does not understand. I guess this means things like HSRP etc. What I am interested to know is there a method to break down what those policy discards are? For example see a log of the packet type/protocol type etc? Here is the output of the JunOS commands with a 1 second interval show interfaces ge-3/3/0 extensive | match Policed Errors: 21, Drops: 0, Framing errors: 0, Runts: 0, Policed discards: 73485969, L3 incompletes: 21, L2 channel errors: 0, show interfaces ge-3/3/0 extensive | match Policed Errors: 21, Drops: 0, Framing errors: 0, Runts: 0, Policed discards: 73485982, L3 incompletes: 21, L2 channel errors: 0, show interfaces ge-3/3/0 extensive | match Policed Errors: 21, Drops: 0, Framing errors: 0, Runts: 0, Policed discards: 73485998, L3 incompletes: 21, L2 channel errors: 0, I understand that its not fatal however its causing some monitoring abnormalities which we would like to get to the bottom of to clarify that there is nothing misconfigured etc on the network. Any additional feedback would be much appreciated. Regards, Jimmy Stewpot. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp