[nsp] HSRP and Netscreen Firewalls

Ian Terry ijt at evasam.com
Fri Jan 10 16:20:00 EST 2003


Steve,

Thanks for the information - I am kind of concerned that the customer
isn't aware of this but also concerned at the "hidden commands". 

I have checked either end of the Firewall connection and run debug on
the routers - they definitely do not see traffic when traversing the
firewall. I believe it is going to be a ScreenOS software level thing -
I found a document reffering to multicast policies for 4.0 and above. 

I will get the customer to check NSKB792 as well. Many thanks again for
your help.

Regards, Ian

-----Original Message-----
From: Stephen Gill [mailto:gillsr at yahoo.com] 
Sent: 10 January 2003 16:07
To: 'Ian Terry'; cisco-nsp at puck.nether.net
Subject: RE: [nsp] HSRP and Netscreen Firewalls


Hi Ian,
One quick way to check is to watch the flow logs (assuming you are
logging all dropped traffic) and go from there.  Additionally, snoop can
be quite helpful on the firewall if necessary.  See: snoop, dbuf, and
console.

http://www.qorbit.net/documents/screenos-hidden-commands.pdf
http://www.qorbit.net/documents/screenos-hidden-commands.htm

If necessary, you might try upgrading playing with 3.1.0r10 in the 3.x
train or 4.0.0r8 in the 4.x train.  I don't know that it is entirely
required, though some bugs have been in there related to multicast. 

According to nskb792 you need to have a policy to allow OSPF to pass so
I would presume the same would be necessary here.  Since you are using
3.0 the KB ID says you can't be using a DMZ (requires 3.1 and above).  

-- steve

-----Original Message-----
From: Ian Terry [mailto:ijt at evasam.com] 
Sent: Friday, January 10, 2003 9:56 AM
To: 'Stephen Gill'; cisco-nsp at puck.nether.net
Subject: RE: [nsp] HSRP and Netscreen Firewalls

Hi Stephen,

I am informed that ScreenOS 3.0 is being utilised - I believe there is a
later release, is this required?

I assume the policy relates to the HSRP multicast address ? If so,
Netscreen informed the customer that a policy would not be required - it
seemed odd to be at the time as a Firewall would let a multicast
through!

Regards, Ian

-----Original Message-----
From: Stephen Gill [mailto:gillsr at yahoo.com] 
Sent: 10 January 2003 15:42
To: 'Ian Terry'; cisco-nsp at puck.nether.net
Subject: RE: [nsp] HSRP and Netscreen Firewalls


Also make sure 'set arp always' is enabled - key for HSRP environments.

-- steve

-----Original Message-----
From: Stephen Gill [mailto:gillsr at yahoo.com] 
Sent: Friday, January 10, 2003 9:40 AM
To: 'Ian Terry'; 'cisco-nsp at puck.nether.net'
Subject: RE: [nsp] HSRP and Netscreen Firewalls

A few things you might wish to check:

1.  Check what OS version you are running.  May require an upgrade. 2.
Ensure that 'set flow mac-flooding' is enabled. 3.  Ensure that you have
created a policy that matches the traffic to allow it through.

-- steve

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Ian Terry
Sent: Friday, January 10, 2003 9:06 AM
To: cisco-nsp at puck.nether.net
Subject: [nsp] HSRP and Netscreen Firewalls

Hello, 

We have a customer who has dual peering links with two different
providers that are maintained via Cisco 7500 routers

Behind the routers the customer has Netscreen Firewalls that are
configured to operate in transparent mode.

The routers are running HSRP and unfortunately the multicasting of HSRP
does not appear to be allowed through the Firewall - even though
Netscreen claim that it should. If the Firewall is removed, then HSRP
works fine. 

Does anybody have an experiences similar to this ? 

regards, Ian

tel:   44 (0)7970 499187

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
http://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



More information about the cisco-nsp mailing list