Re: [j-nsp] completely disable session (flow) in netscreen
Hi Tony, I just put the two parameters, set flow reverse-route clear-text prefer set flow reverse-route tunnel prefer into those 3 SSG boxes, but no luck there. I am re-read all documents and wish I can find something. Regards, -- Michel~ On Mon, Mar 8, 2010 at 4:43 AM, Tony Frank tony.fr...@ericsson.com wrote: Hi Michel, I do have following settings in my config that related to flow, but I am not sure if something I still missing... If you have not already tried, the command 'get flow' gives details of flow configuration. Some in particular: set flow reverse-route clear-text prefer set flow reverse-route tunnel prefer I believe default is 'always' and that results in dropped packets if return path is different. This should relax the route lookup rules when creating session, which may help your scenario. Regards, Tony ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] completely disable session (flow) in netscreen
'Bow Tie' VPN SSG1 SSG2 | \ / | | \ / | | / \ | ISG1--ISG2 One more thing to consider is the 'bow-tie' effect. It is stated in (KB11915), where asymmetric routing breaks between remote VPN sites with multiple tunnels. If you network is similar in desgin as the bow-tie vpn, then you are more than likely running into this issue. Where host behind SSG1 would initiate traffic bound to a host in any of the other sites and the return path is not the prefered tunnel interface of SSG1, then its gonna be dropped by session firewall. Warm Regards, ~Norman ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] completely disable session (flow) in netscreen
Hi Tim and Dan, Unfortunately, upgrade to JUNOS will not able to be an option as I am using SSG5, 20, and 140 box, they are not like SSG3xxm or 5xxm that can host JUNOS. I do have following settings in my config that related to flow, but I am not sure if something I still missing... unset flow no-tcp-seq-check unset flow tcp-syn-check unset flow tcp-syn-bit-check unset flow tcp-syn-check-in-tunnel also the policy is to permit all traffic between zones. I put set zone trust asymmetric-vpn to my config and perform the test again, that I am able to establish connection under asymmetric route, but somehow there are still timeout during tracerout that I expect to have response from SSG's interface IP. My testing setup looks like this way, [pc1]--[R1]--[ssg1]--VPN tunnel A--[ssg2]--[R2]--[pc2] || +-VPN tunnel B--[ssg3]---+ So the path from pc1 to pc2 is [pc1]-[Rt1]-[ssg1]-[tunA]-[ssg2]-[Rt2]-[pc2] and return path is [pc2]-[R2]-[ssg3]-[tunB]-[ssg1]-[R1]-[pc1] where [R1] and [R2] is L3 switch (Cisco 3750G), all interface between devices are pure L3 interface. When perform traceroute from pc1 to pc2, I expect to see response on [R2] with IP of interface facing to ssg2, but I got * (timeout). However I am able to connect (telnet) from PC1 to PC2, and vice versa. Thanks, -- Michel~ On Sun, Mar 7, 2010 at 7:11 AM, Tim Eberhard xmi...@gmail.com wrote: To deal with asymmetric routing problems you can disable tcp-syn-checking. That will disable the stateful enforcement (and greatly weaken security of the box). I'd also ensure you disable syn-checking in the tunnel (since you're using ipsec tunnels). Beyond that, write your policy bi-directionally ensuring any side can create the session and that should fit your needs. Even if the session times out with syn-checking disabled and it's permitted by policy it will be instantly recreated with the next packet. Hope this helps, -Tim Eberhard On Sat, Mar 6, 2010 at 3:34 AM, Michel de Nostredame d.nos...@gmail.com wrote: Hi, The problem I encountered is that I am doing many route-based tunnels on many NetScreen boxes, and sometimes there will be asymmetric routes over tunnels and physical interfaces. Asymmetric paths in traditional routers / L3-switches will not be a problem, but in NetScreen that will cause session drops and/or traceroute timeouts, in my case. I am wondering if there is any way to *completely* disable the concepts of session (or flow ...) in a NetScreen to make it acts like a router. Thanks in advance. -- Michel~ ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] completely disable session (flow) in netscreen
Hi Michel, I do have following settings in my config that related to flow, but I am not sure if something I still missing... If you have not already tried, the command 'get flow' gives details of flow configuration. Some in particular: set flow reverse-route clear-text prefer set flow reverse-route tunnel prefer I believe default is 'always' and that results in dropped packets if return path is different. This should relax the route lookup rules when creating session, which may help your scenario. Regards, Tony ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] completely disable session (flow) in netscreen
Just taking a stab... ... if they are SSG/J boxes, what about loading JUNOS onto them, which is not flow-based? We had the opportunity to do this with a pair of SSG 520M's. It entailed getting a separate flash card from Juniper with the JUNOS image that physically replaced the Netscreen image flashcard in the box. Of course, if this were at all workable for you, it would entail a completely new configuration on your part, with you basically translating your Netscreen functionality into JUNOS. Not sure if that would even be worth it for you, but YMMV. Dan da...@appliedi.net From: juniper-nsp-boun...@puck.nether.net [juniper-nsp-boun...@puck.nether.net] On Behalf Of Michel de Nostredame [d.nos...@gmail.com] Sent: Saturday, March 06, 2010 4:34 AM To: Juniper nsp Subject: [j-nsp] completely disable session (flow) in netscreen Hi, The problem I encountered is that I am doing many route-based tunnels on many NetScreen boxes, and sometimes there will be asymmetric routes over tunnels and physical interfaces. Asymmetric paths in traditional routers / L3-switches will not be a problem, but in NetScreen that will cause session drops and/or traceroute timeouts, in my case. I am wondering if there is any way to *completely* disable the concepts of session (or flow ...) in a NetScreen to make it acts like a router. Thanks in advance. -- Michel~ ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] completely disable session (flow) in netscreen
To deal with asymmetric routing problems you can disable tcp-syn-checking. That will disable the stateful enforcement (and greatly weaken security of the box). I'd also ensure you disable syn-checking in the tunnel (since you're using ipsec tunnels). Beyond that, write your policy bi-directionally ensuring any side can create the session and that should fit your needs. Even if the session times out with syn-checking disabled and it's permitted by policy it will be instantly recreated with the next packet. Hope this helps, -Tim Eberhard On Sat, Mar 6, 2010 at 3:34 AM, Michel de Nostredame d.nos...@gmail.comwrote: Hi, The problem I encountered is that I am doing many route-based tunnels on many NetScreen boxes, and sometimes there will be asymmetric routes over tunnels and physical interfaces. Asymmetric paths in traditional routers / L3-switches will not be a problem, but in NetScreen that will cause session drops and/or traceroute timeouts, in my case. I am wondering if there is any way to *completely* disable the concepts of session (or flow ...) in a NetScreen to make it acts like a router. Thanks in advance. -- Michel~ ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp