[nsp] HSRP and Netscreen Firewalls

Stephen Gill gillsr at yahoo.com
Fri Jan 10 10:21:30 EST 2003


Hi Ian,
The ones I mentioned were just a start to check why the packet might be
dropped on the NS after looking at the logs and debugs.  Debug on the NS
may tell you why the packet is being dropped (debug flow basic).

Not much cause to be concerned at the 'hidden commands'.  Most of them
are there for troubleshooting purposes but as the doc states it tries to
stick with categories 1,2, and 4.  

1.  It is brand new and is still being tested for effectiveness and
functionality.

2.  The command is custom made to solve a particular customer problem
that may have been brought into mainline code without notifying Tech
Pubs. 

3.  It is a legacy command that remains for backward compatibility.  Its
use may be deprecated in favor of a newer command or syntax.  

4.  It is an engineering command that is designed for experts or
internal use only.  

Cheers,
-- steve

-----Original Message-----
From: Ian Terry [mailto:ijt at evasam.com] 
Sent: Friday, January 10, 2003 10:20 AM
To: 'Stephen Gill'; cisco-nsp at puck.nether.net
Subject: RE: [nsp] HSRP and Netscreen Firewalls

Steve,

Thanks for the information - I am kind of concerned that the customer
isn't aware of this but also concerned at the "hidden commands". 

I have checked either end of the Firewall connection and run debug on
the routers - they definitely do not see traffic when traversing the
firewall. I believe it is going to be a ScreenOS software level thing -
I found a document reffering to multicast policies for 4.0 and above. 

I will get the customer to check NSKB792 as well. Many thanks again for
your help.

Regards, Ian

-----Original Message-----
From: Stephen Gill [mailto:gillsr at yahoo.com] 
Sent: 10 January 2003 16:07
To: 'Ian Terry'; cisco-nsp at puck.nether.net
Subject: RE: [nsp] HSRP and Netscreen Firewalls


Hi Ian,
One quick way to check is to watch the flow logs (assuming you are
logging all dropped traffic) and go from there.  Additionally, snoop can
be quite helpful on the firewall if necessary.  See: snoop, dbuf, and
console.

http://www.qorbit.net/documents/screenos-hidden-commands.pdf
http://www.qorbit.net/documents/screenos-hidden-commands.htm

If necessary, you might try upgrading playing with 3.1.0r10 in the 3.x
train or 4.0.0r8 in the 4.x train.  I don't know that it is entirely
required, though some bugs have been in there related to multicast. 

According to nskb792 you need to have a policy to allow OSPF to pass so
I would presume the same would be necessary here.  Since you are using
3.0 the KB ID says you can't be using a DMZ (requires 3.1 and above).  

-- steve

-----Original Message-----
From: Ian Terry [mailto:ijt at evasam.com] 
Sent: Friday, January 10, 2003 9:56 AM
To: 'Stephen Gill'; cisco-nsp at puck.nether.net
Subject: RE: [nsp] HSRP and Netscreen Firewalls

Hi Stephen,

I am informed that ScreenOS 3.0 is being utilised - I believe there is a
later release, is this required?

I assume the policy relates to the HSRP multicast address ? If so,
Netscreen informed the customer that a policy would not be required - it
seemed odd to be at the time as a Firewall would let a multicast
through!

Regards, Ian

-----Original Message-----
From: Stephen Gill [mailto:gillsr at yahoo.com] 
Sent: 10 January 2003 15:42
To: 'Ian Terry'; cisco-nsp at puck.nether.net
Subject: RE: [nsp] HSRP and Netscreen Firewalls


Also make sure 'set arp always' is enabled - key for HSRP environments.

-- steve

-----Original Message-----
From: Stephen Gill [mailto:gillsr at yahoo.com] 
Sent: Friday, January 10, 2003 9:40 AM
To: 'Ian Terry'; 'cisco-nsp at puck.nether.net'
Subject: RE: [nsp] HSRP and Netscreen Firewalls

A few things you might wish to check:

1.  Check what OS version you are running.  May require an upgrade. 2.
Ensure that 'set flow mac-flooding' is enabled. 3.  Ensure that you have
created a policy that matches the traffic to allow it through.

-- steve

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Ian Terry
Sent: Friday, January 10, 2003 9:06 AM
To: cisco-nsp at puck.nether.net
Subject: [nsp] HSRP and Netscreen Firewalls

Hello, 

We have a customer who has dual peering links with two different
providers that are maintained via Cisco 7500 routers

Behind the routers the customer has Netscreen Firewalls that are
configured to operate in transparent mode.

The routers are running HSRP and unfortunately the multicasting of HSRP
does not appear to be allowed through the Firewall - even though
Netscreen claim that it should. If the Firewall is removed, then HSRP
works fine. 

Does anybody have an experiences similar to this ? 

regards, Ian

tel:   44 (0)7970 499187

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
http://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



More information about the cisco-nsp mailing list